search

3liz / lizmap-web-client

Transfer a QGIS project on a server, Lizmap is providing the web interface to browse it
https://www.lizmap.com
Mozilla Public License 2.0
259 stars 143 forks source link

"group visibility" property not taken into account by the WMS service #2575

Open gioman opened 3 years ago

gioman commented 3 years ago

What is the bug?

I reported this possible bug here

https://lists.osgeo.org/pipermail/lizmap/2021-November/000383.html

as I got not feedback I assume it can be a real bug.

Steps to reproduce the issue

Create a QGIS project with two groups of layers.

In Lizmap Plugin set the "group visibility" for this two layers groups to two different LMWC users groups.

Login into LMWC with a user belonging to one of the users groups, as expected the layers group for which the users group has no visibility set it will not be visibile > OK

Now use QGIS as WMS client, and set up a connection using the URL given by LMWC and using the credential of a user belonging to one of the users groups involved in the test > all layers will be visible/downloadable, even the ones for which the users is supposed to have no access.

Lizmap version

3.4.3

QGIS desktop version

3.16.12

QGIS server version

3.16.12

Operating system

Ubuntu 20.04

Browsers

Firefox

Browsers version

Firefox 93.0

Relevant log output

No response

gioman commented 2 years ago

Can I assume that this is a bug rather than a missing functionality?

Gustry commented 2 years ago

This is strange because the URL is the same, the web client OpenLayers is using the same URL as the one in QGIS.

You mean in QGIS the layer is visible in the GetCapabilities, but does the layer have features inside or not ?

gioman commented 2 years ago

You mean in QGIS the layer is visible in the GetCapabilities, but does the layer have features inside or not ?

@Gustry

Say you have (lizmap users) group A and B. This user groups have access to the WMS URL generated by LMWC.

Say that in your QGIS project you have (layers) groups C and D.

In LM Plugin set "group visibility" for C to A, and for D to B.

In LMWC a user belonging to A will see C but not D, a user belonging to B will see D but not C. So far so good.

Now a user belonging to A uses the LMWC generated WMS URL in a WMS client (i.e. QGIS): it adds the service WMS URL and his/her credential, and after establishing the connection it will see listed C but also D, and within D can see the layers in it and can request/pull them down --> not expected.

Gustry commented 2 years ago

I understood your situation @gioman. I was asking if the layer was empty or not. Maybe the "layer name" is visible in the GetCapabilities (it seems so), but maybe, when the layer is loaded, there is maybe no features inside. (which is doesn't seem so according to your description).

Lizmap is doing some filtering at the feature level. So for a given user, the user might see a layer, but when the layer is loaded, there isn't any feature inside. This is the case for the new filtering by polygon for instance : https://github.com/3liz/lizmap-web-client/pull/2348 I'm not sure for this "group visibility" if it's the behavior.

gioman commented 2 years ago

there is maybe no features inside. (which is doesn't seem so according to your description).

@Gustry exactly, the layers (that should not be available) are fully loaded, features and attributes.

I'm not sure for this "group visibility" if it's the behavior.

It seems is not the case.