Hi! Alessandro, you where quicker! ☺ If I understand correct, the actual credentials isn’t stored to the project. Just the auth config ID. If the user doesn’t have this in his local authentication database, or has it with other credentials(read) the project will not open with admin credentials.
Karl-Magnus Jönsson Från: Qgis-user <qgis-user-boun...@lists.osgeo.org> För Cliff Patterson Skickat: den 1 juni 2020 15:36 Till: Alessandro Pasotti <apaso...@gmail.com> Kopia: qgis-user <qgis-user@lists.osgeo.org> Ämne: Re: [Qgis-user] Save projects to DB without creator's permissions That's exactly the problem with the auth system. If you connect to a DB using the auth system and store a map in the DB (or anywhere for that matter), the map contains your credentials/permissions for EVERY layer that you added. So if you create a map while logged in as DB owner (i.e. full perms for every layer), any user who opens it will have full permissions on every layer in the map. The only workaround for this is to remember to use basic auth and uncheck "store" beside password whenever creating a shared project. Any other less vulnerable workarounds would be very helpful, though I doubt any exist. Cliff On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti <apaso...@gmail.com<mailto:apaso...@gmail.com>> wrote: Maybe all that you need is in the QHIS auth system is https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id The master password can be stored in the operating system wallet so that the user will not need to type his password. Regards On Fri, May 29, 2020, 19:39 Cliff Patterson <cpatter...@psdrcs.com<mailto:cpatter...@psdrcs.com>> wrote: PS: I realize I can create maps with basic auth and not store the PW, which prompts the user to enter their creds. But is there a better way now to achieve the same result? Cliff On Fri, May 29, 2020 at 1:29 PM Cliff Patterson <cpatter...@psdrcs.com<mailto:cpatter...@psdrcs.com>> wrote: What is the best approach to save QGIS projects to PostgreSQL without saving the project-creator's credentials/permissions? If the DB admin creates a project and saves it to the DB, anyone opening that project will attain the admin's permissions on layers in that map. To recreate: 1) Create a map containing PostGIS layers and save project to DB. All layers should be editable by the admin. Admin is logged into DB with auth config, not basic auth. 2) Create a new read-only user and new profile in QGIS and log in to DB. 3) Open the project and try to edit layers. Read-only user will be able to see and edit all layers just like the DB Admin. Is there a way to save projects to DB WITHOUT saving any user creds/permissions? Cliff -- Cliff Patterson Ph.D. PSD | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com<http://www.psdrcs.com> London | 148 Fullarton St. 9th Floor [http://psdrcs.com/assets/email_signature.png] -- Cliff Patterson Ph.D. PSD | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com<http://www.psdrcs.com> London | 148 Fullarton St. 9th Floor [http://psdrcs.com/assets/email_signature.png] _______________________________________________ Qgis-user mailing list Qgis-user@lists.osgeo.org<mailto:Qgis-user@lists.osgeo.org> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user -- Cliff Patterson Ph.D. PSD | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com<http://www.psdrcs.com> London | 148 Fullarton St. 9th Floor [http://psdrcs.com/assets/email_signature.png]
_______________________________________________ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
