User or role privileges control on PostGIS tables in QField Cloud

Ask the Community
1

Hi everyone,
For an urban tree risk assessment project, I want to configure a QField Cloud system that allows two teams, with different but complementary responsibilities, to coordinate. To make it simple, let’s consider two groups of users and a single table. Users of the first team will be in charge of creating and editing new features in a layer, whereas the second team members will just have to check the features created by the others.
PostgreSQL allows creating different users, each one with his own authentication credentials, and roles, and designating users as members of roles. And then, it is possible to assign privileges over a particular table to a particular role.

image
image1120×301 21.3 KB

This is the Grant Wizard of pgAdmin 4, from where the database owner can assign privileges on a table to users individually or users grouped in roles.

On QGIS, when connecting to the PostGIS data source with his/her credentials, each user will get the permissions over the layers that are associated with his/her user in the database. If he is team 1, he will be able to do all crud operations on features; if she is team 2, she will just be able to select the layer features.
QField Cloud allows the collaboration of several members on a project, and assigning roles to these collaborators. But these QField Cloud roles differ from PostgreSQL roles in that they determine a set of permissions, among them edition, insertion, or reading, that are applied to the whole set of database tables, instead of to some in particular and not others. I need something more fine-grained, as some project collaborators will be team 1 members and others team 2 members.

But, unlike QGIS, it seems not possible to leverage PostgreSQL role permission control when working with QField Cloud as the database client, since there’s just one project for all users and one database connection for them all.

I’ve seen that it is possible to create many pg_service.conf configuration files, which contain the PostGIS database connection string, and that gives me some hope that what I intend can be done, but I don’t have a hint on how to associate a project collaborator with a specific pg_service.conf.

image
image711×303 8.21 KB

This makes me believe that it is somehow possible to automatically log in to the PostGIS database using one or another secret, depending on the collaborator that logs in to the QField Cloud project.

Please, tell me if there’s a way to achieve what I need or ask for clarification in case I haven’t put it clearly.

Imported from GitHub discussion by @OctaviSerra on 2022-09-14T15:07:32Z

2

Hello OctaviSerra . Quite interesting use case and very good explanation of your problem, thanks!

The reason why QFieldCloud supports multiple pg_service secrets is that you may connect to multiple databases within the same project.

However, switching the pg_service file based on the user is support and it is not on our roadmap.

You can control what kind of changes users can do via QFieldCloud integrated role based permission model. If you set your team1 to have editor role and team2 as reader, it matches the situation you described above.

The other way to achieve this is if you have two separate projects with two separate pg_service files for each of them.

Note the pg_service file is used only within QFieldCloud server for offline editing layers and it is not delivered to QField App devices. This might change in the next year with additional flag whether the pg_service file is available on mobile devices too.

Based on the role of the user, QField App enforces the UI to disable editing permissions if needed. QFieldCloud Server also additionally enforces the permissions.

Hope these alternatives can work for your use case.

Imported from GitHub comment by @suricactus on 2022-09-14T16:13:03Z

3

Hello suricatus,
Thank you very much for the prompt response and for clearing out my main question.

In reality, the use case is a little more complicated, I just laid out the minimum representation for quick understanding purposes. And so, team2 might have permission to edit some tables or views. Then, the alternative of having one project for each database connection is what suits me best, but some issues arise as well:

The problem is with the photos. If you tell me I post this on a new discussion. Pictures taken by team1 are stored within their project, and won’t be visible to team2, whose members log in to another project. And feature images being visible for both teams is a must. I was considering storing all pictures in a unique file hosting service and then getting the features to point to it so that the pictures are downloaded and shown in a WebDAV storage attachment widget in the feature’s attributes form. Is there a way to do this? This was already asked by soester in discussion #2707, but with no answer so far.
There’s a further option for downloading images from external storage and displaying them in the attributes form and it is the Html Widget.

image
image723×449 155 KB

This works partially in QField, as the image is rendered in the feature’s attributes form, but when Html widget is present, the form’s behavior goes bad, being impossible to scroll down. Why could this be happening?

Do you know of a working solution to show feature related images from an external storage in the attributes form?

Imported from GitHub comment by @OctaviSerra on 2022-09-15T13:40:34Z

4

Hi OctaviSerra .

Please attach a test project and open a new issue desciribing your troubles with the HTML/QML widgets on QField.

On the other discussion, I just answered here Is ist possible to get QField to access attachment from WebDAV Storage? · opengisch/QField · Discussion #2707 · GitHub . I think you can sync your project photos using the qfieldcloud-cli tool.

Imported from GitHub comment by @suricactus on 2022-09-15T14:39:47Z