Hi Gabriel, if memory serves me well (and I might be wrong) limit rules only apply on top of a rule allowing access, so you need two rules, one that says "yes you can access" and another of limit type saying "but with the following limitations"
Cheers Andrea On Fri, Dec 2, 2022 at 1:23 PM Gabriel Roldan <gabriel.rol...@gmail.com> wrote: > Hi, > I think this is a GeoFence bug, but would need confirmation. > > RuleLimits are not being respected, as far as I can see. > For example, if I want to create a Rule stating a given user or role > can see all layers but within a given area, my understanding is > a Rule with Access Type = LIMIT, and an allowed area WKT would do, > but that's just not being applied. > > Digging into it, it looks like RuleReaderServiceImpl's > resolveRuleset(List<Rule> > ruleList) > <https://github.com/geoserver/geofence/blob/cdaee4ac2cc7a3f6dc692a2dec282f6667a4031e/src/services/core/services-impl/src/main/java/org/geoserver/geofence/services/RuleReaderServiceImpl.java#L303-L343> > does nothing when a Rule has RuleLimits, boiling down to > > private AccessInfoInternal resolveRuleset(List<Rule> ruleList) { > List<RuleLimits> limits = new ArrayList<>(); > AccessInfoInternal ret = null; > for (Rule rule : ruleList) { > if(ret != null) > break; > switch(rule.getAccess()) { > case LIMIT: > RuleLimits rl = rule.getRuleLimits(); > if(rl != null) > limits.add(rl); > break; > .... > } > } > return ret; > } > > That is, adds the RuleLimits to the limits list, and then just returns > null. > > Additionally, the following makes it build an AccessInfoInternal only for > the first Rule in the ruleList: > for (Rule rule : ruleList) { > if(ret != null) > break; > > Meaning that if more than one rule matched the filter, only the first one > will be considered. > > My use case is an external system sets up rules for companies based on > roles, which come from another system, and > can have several rules per company with different allowed areas, for all > layers. Ideally, I shouldn't need to merge these > areas in order to create a single rule, but have them match the external > system's. > > I've a patch [1] that makes both consider the RuleLimits and all the > matching rules > in resolveRuleset(List<Rule> ruleList) argument. > > [1] > https://github.com/groldan/geofence/commit/5290c1760746f4e93ff4915c9e80a19a09e433be > > With it, I can set up two Rules with different allowed areas, both for all > layers, and have them applied as expected (or as I understand it's > expected). The following image is a layer preview of tiger_roads with both > rules applied: > > [image: image.png] > > So, is my understanding correct and can I proceed to issue a PR? > > Cheers, > > -- > Gabriel Roldán > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
