search

qgis / QGIS-Enhancement-Proposals

QEP's (QGIS Enhancement Proposals) are used in the process of creating and discussing new enhancements for QGIS
118 stars 37 forks source link

QEP 32: Add QGIS server access control interface for python plugin #32

Open NathanW2 opened 8 years ago

NathanW2 commented 8 years ago

QGIS Enhancement 32: Add QGIS server access control interface for python plugin

:Date: 2015/05/27 :Author: Stéphane Brunner :Contact: stephane dot brunner at camptocamp dot com :Last Edited: 2015/05/27 :Status: Draft | Adopted (YYYY/MM/DD) | Completed (YYYY/MM/DD) | Superseded by :ref:QEP #[.#] <qep#[.#]> (YYYY/MM/DD) | Abandoned (YYYY/MM/DD) | Withdrawn (YYYY/MM/DD) :Version: QGIS X.X

.. note::

See :ref:`QEP 1 <qep1>` for description of QEP process.

. Summary

Add the possibility to create python plugin for access control to all the services of QGIS server,

The plugin will implements the following interface:

Our need is to be able to do the following kind of restrictions::

All the knowledge about which user is connected and on what he is allowed to access is the responsability of the plugin.

layerFilter and allowToEdit fill nearly the same use case, but layerFilter is optimised to create requests and concerns the read access, and allowToEdit is optimised to be used on an existing feature object and concerns the write access.

. Implementation Details

See: https://github.com/qgis/QGIS/pull/2056.

I create a new kind of server plugin and I don't extend the current server filter for the following reason::

...................

See summary.

.# Affected Files

..................

See: https://github.com/qgis/QGIS/pull/2056/files.

. Test Coverage

I don't know how we can do unit test for this. I think one possibility is to run the server on apache, and test the query results.

. Performance Implications

Should be really low if there no plugin that implements it. Also depends on the plugin implementation.

. Backwards Compatibility

New interface, then no incidence.

. Documentation

We can create restriction access python plugin.

The class to implements is qgis.server.qgsaccesscontrolplugin.

The optional methods to implement are:

.# layerFilter

...................

Return a filter for the map that will be used in the following requests::

........................

Restrict the permissions on the layer. The concerned rights are: publish, insert, update and delete.

The publish permission is used in all the request that concern a layer including the GetCapabilities.

The others permissions are be used in the WFS/Transaction.

.# authorizedLayerAttributes

.................................

Restrict the published feature attributes.

Used in the following requests::

Disallow the edition of a specific kind of feature.

Used in the following requests::

.. code:: python

from qgis.server import QgsServerAccessControlFilter

def serverClassFactory(serverIface):
    serverIface.registerSecurity( ExampleAC(serverIface) )

class ExampleAc(QgsServerAccessControlFilter):

    # Return an additional expression filter
    def getLayerFilter(self, layer):
        # access only to element with ID 1
        return "1 = $id"

    # Return the layer rights
    def getLayerRights(self, layer):
        # access only to layer country
        rights = QgsServerSecurity.LayerRights()
        rights.publish = layer.name() != "Country"
        return rights

    # Return the authorised layer attributes
    def getAuthorizedLayerAttributes(self, layer, attributes):
        # access only to the attribute named "name"
        return [attrib for attrib in attributes if attrib == "name"]

    # Are we authorise to modify the following geometry
    def allowToEdit(self, layer, feature):
        # allow to edit only the feature with id 1
        return feature.id == 1

. Issue Tracking ID(s)

2056

. Voting History

(required)

NathanW2 commented 8 years ago

@sbrunner

nyalldawson commented 8 years ago

@NathanW2 should this be made final now that it's implemented and merged?