search

3liz / lizmap-web-client

Transfer a QGIS project on a server, Lizmap is providing the web interface to browse it
https://www.lizmap.com
Mozilla Public License 2.0
261 stars 144 forks source link

Custom js/php - add hash key for groups to make js group wise secure #4963

Open r9zzai opened 2 weeks ago

r9zzai commented 2 weeks ago

Add text input to admin panel what is main hash key. Then in lizmap webgis there should be a hash available in js like "hashkey+group". Use an easy hash function maybe the same as in jelix that hashes lizmap user passwords. That should make custom js/php group wise safe e.g. when you have a custom js in media/default.

Gustry commented 2 weeks ago

Sorry, can you clarify what do you mean by "group" ?

r9zzai commented 2 weeks ago

With group i mean lizmap group assignable per admin panel. In lizmap webgis there is only current logged in user available per js. With tables in lizmap_web_client the assigned groups for user can be evaluated. As lizmap maps are managed by groups instead of users (e.g. allow edition) it would be simplier to integrate group than i thought.

The intention is to make custom php a bit more safer to check which (user/)group does the request. In php the check is having a hashed key (main hash key+group) - unhash key - split unhashed to get group and check if group is assinged to project with repo id from url.

It is great that lizmap offers custom js. But with only js we cannot make custom php with secure backend because everything in js is published. To make hashkey method more safe the hashkey should be combined with current date so a gotten hashkey is only available one day.

r9zzai commented 4 days ago

To clarify why i asked the question. This is special because my server is devided in dockers. Lizmap and custom php are on different docker so i cannot access $_Session in php to verify current user with js user send to php. So the question is more concerned in the direction of an API with token. But i think that there are no other use cases than my special one.

To realize what i want i found following php to modify. Here just another assign can be made like "bcrypt custom key . actual date . User" e.g. "userhash".

https://github.com/3liz/lizmap-web-client/blob/78cd828aaa7568be73667ba0af87fa5ccea10881/lizmap/modules/view/zones/map_headermenu.zone.php#L33

Then another id like "userhash" can be set here to get the userhash value in js

https://github.com/3liz/lizmap-web-client/blob/78cd828aaa7568be73667ba0af87fa5ccea10881/lizmap/modules/lizmap/templates/user_menu.tpl#L14

The gotten "userhash" value can be verified by using the same "custom key , actual date . sent js "user" which is already accessable by above tpl in js" in custom php. So there is an increased security on requests made from lizmap webgis to allowed internal/external websites.