Hide a layer from the public

qgis / qwc2-demo-app

QWC2 demo application

Other

240 stars 149 forks source link

Hide a layer from the public #548

Closed TNick closed 2 months ago

TNick commented 2 months ago

The end purpose is to hide a layer from the map from public but make it available to the users.

I was expecting that

changing permissions_default_allow in tenantConfig.json to false
adding a permission to public to view a map resource

would result in showing the theme without any layers.

It is not clear to me if and how a layer can be restricted to registered users.

TNick commented 2 months ago

On the other hand setting permissions_default_allow in tenantConfig.json to true and adding a permission to a layer for users role prevents the layers with a ConfigDB ID larger than that layer to disappear from the results of the identify tool.

What a mess.

danceb commented 2 months ago

The way to achive this, should be very simple:

set permissions_default_allow to true
create a user group, where all users are part of
create a role for restricting the permissions and associate it to the group
configure the respective layer to be accessible for just this role

The map itself should be visible for everyone and the layer only for users, which are logged in.

manisandro commented 2 months ago

Regarding permissions_default_allow: false: you would need to permit the entire hierarchy to the desired layer, including the root WMS layer name. So i.e. for the qwc_demo theme, to permit only the edit_points layer, you'd need to:

Permit the qwc_demo map
Permit the qwc_demo root layer
Permit the edit_demo group layer
Permit the edit_points layer

The reason for this is that the permission structure allows you to permit/restrict also layer groups. Note that permissions_default_allow: false is uncommon and it is much simpler to work with permissions_default_allow: true.

Regarding the featureinfo permissions, I believe there was indeed a bug when used with permissions_default_allow: false, I've fixed it in qwc-config-generator v2024.04.16.

TNick commented 2 months ago

@danceb Is there something special about the user groups or we can simply associate the user with the role?

This should work?

set permissions_default_allow to true
create a user
create a role for restricting the permissions and make the user part of it
configure the respective layer to be accessible for just this role

TNick commented 2 months ago

With this setting and this tenant config

The result is this

TNick commented 2 months ago

I can confirm that, when using the code checked today out from the GitHub repositories to build the docker images, the layer can be made available only to registered users.

I have not revisited the original problem with permissions_default_allow set to false.