Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix WMS layer access control check #58073

Merged
merged 1 commit into from
Aug 29, 2024
Merged

Fix WMS layer access control check #58073

merged 1 commit into from
Aug 29, 2024

Conversation

dmarteau
Copy link
Contributor

@dmarteau dmarteau commented Jul 11, 2024
edited
Loading

Description

Fix access control when requesting layer's group with mixed allowed and forbidden layers from WMS requests.

Actual behavior: raise a security exception

Proposed behavior: consider only allowed layers in group.

The behavior for layers submitted to access control is now the following:

  • Requesting a forbidden layer explicitely raise a security exception (unchanged behavior)
  • Requesting a layer group that contain allowed layers and forbidden layers returns allowed layers and does not raise an exception anymore (changed behavior)
  • Requesting a layer group that does not contains allowed layers is now a considered as non-existant group and returns error accordingly - which is consistent with the previous behavior (changed behavior)
  • If no layers are requested explicitely, forbidden layers are discarded from the rendering list (unchanged behavior)

Implementation details:

Adding a layer to the rendering list is done by calling the addLayerToRender method with a boolean queryLayer context variable if the layer is added explicitely or not. If the layer is added explicetely, then a security exception is raised otherwie the layer is discarded from the rendering list.

@github-actions github-actions bot added this to the 3.40.0 milestone Jul 11, 2024
@rldhont rldhont requested review from elpaso and pblottiere July 11, 2024 12:18
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 11, 2024
edited
Loading

🪟 Windows builds ready!

Windows builds of this PR are available for testing here. Debug symbols for this build are available here.

(Built from commit 45a15da)

@dmarteau dmarteau force-pushed the fix-server-access-control branch from 7f342f6 to 6236202 Compare July 11, 2024 21:26
@rldhont rldhont requested review from mhugent and lbartoletti July 12, 2024 15:26
elpaso
elpaso approved these changes Jul 19, 2024
View reviewed changes
Copy link
Contributor

@elpaso elpaso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lbartoletti lbartoletti removed their request for review July 26, 2024 14:40
@github-actions GitHub Actions
Copy link

The QGIS project highly values your contribution and would love to see this work merged! Unfortunately this PR has not had any activity in the last 14 days and is being automatically marked as "stale". If you think this pull request should be merged, please check

  • that all unit tests are passing

  • that all comments by reviewers have been addressed

  • that there is enough information for reviewers, in particular

    • link to any issues which this pull request fixes

    • add a description of workflows which this pull request fixes

    • add screenshots if applicable

  • that you have written unit tests where possible
    In case you should have any uncertainty, please leave a comment and we will be happy to help you proceed with this pull request.
    If there is no further activity on this pull request, it will be closed in a week.

@github-actions github-actions bot added the stale Uh oh! Seems this work is abandoned, and the PR is about to close. label Aug 13, 2024
@dmarteau
Copy link
Contributor Author

Work in progess

@github-actions github-actions bot removed the stale Uh oh! Seems this work is abandoned, and the PR is about to close. label Aug 13, 2024
@dmarteau dmarteau force-pushed the fix-server-access-control branch from 6236202 to 45a15da Compare August 13, 2024 13:58
@rldhont
Copy link
Contributor

rldhont commented Aug 26, 2024

Hi @elpaso, @dmarteau has made the requested changes. Is it good to merge ?

@rldhont rldhont requested review from rldhont and removed request for rldhont August 26, 2024 08:29
@rldhont rldhont merged commit ffc86e1 into qgis:master Aug 29, 2024
30 checks passed
This was referenced Aug 29, 2024
Closed
Merged
@rldhont
Copy link
Contributor

rldhont commented Oct 1, 2024

We found that our fix made unnecessary call to the function checkLayerReadPermissions

@dmarteau dmarteau mentioned this pull request Oct 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elpaso elpaso elpaso approved these changes

@rldhont rldhont rldhont left review comments

@pblottiere pblottiere Awaiting requested review from pblottiere

@mhugent mhugent Awaiting requested review from mhugent

Assignees
No one assigned
Labels
backport queued_ltr_backports Queued Backports Server Related to QGIS server
Projects
None yet
Milestone
3.40.0
Development

Successfully merging this pull request may close these issues.
3 participants
@dmarteau @rldhont @elpaso