Hi Gabriel, limits work by, well, limiting :) so every matched LIMIT rule will add further limitations.
Is that correct? or an edge case? It's not an edge case, it's this way by design and described in paragraph Rule-matching / constraints-merging <https://github.com/geoserver/geofence/wiki/Rule-matching#constraints-merging> : The constraints merging is performed in the most restrictive way: > - resulting allowed area will be the intersection of all the allowed > areas; Area unions are indeed performed when considering groups: if a user is added to a group, its privileges will be widened to also allow permissions granted by belonging to the new group. Just out of curiosity, what is your use case requiring enlarging limit accesses? Cheers, Emanuele On Mon, Dec 5, 2022 at 7:23 PM Gabriel Roldan <gabriel.rol...@gmail.com> wrote: > Hi Andrea, > > thanks for your reply, evidently I've misinterpreted the documentation and > didn't realize a limit rule had to be followed by an allow rule. > > My problem is now that I still can't have multiple limit rules, because > the merged AccessInfoInternal (as per resolveRuleset()), > will have its allowed geometry set to the intersection of all the > limit-rule geometries, instead of their union. > Is that correct? or an edge case? > > Cheers, > Gabe > > > On Sat, 3 Dec 2022 at 16:42, Andrea Aime < > andrea.a...@geosolutionsgroup.com> wrote: > >> Yep, the documentation about rule matching seems to confirm what I said: >> >> https://github.com/geoserver/geofence/wiki/Rule-matching#rule-evaluation >> >> Cheers >> Andrea >> >> On Fri, Dec 2, 2022 at 5:30 PM Andrea Aime < >> andrea.a...@geosolutionsgroup.com> wrote: >> >>> Hi Gabriel, >>> if memory serves me well (and I might be wrong) limit rules only apply >>> on top of a rule >>> allowing access, so you need two rules, one that says "yes you can >>> access" and another >>> of limit type saying "but with the following limitations" >>> >>> Cheers >>> Andrea >>> >>> On Fri, Dec 2, 2022 at 1:23 PM Gabriel Roldan <gabriel.rol...@gmail.com> >>> wrote: >>> >>>> Hi, >>>> I think this is a GeoFence bug, but would need confirmation. >>>> >>>> RuleLimits are not being respected, as far as I can see. >>>> For example, if I want to create a Rule stating a given user or role >>>> can see all layers but within a given area, my understanding is >>>> a Rule with Access Type = LIMIT, and an allowed area WKT would do, >>>> but that's just not being applied. >>>> >>>> Digging into it, it looks like RuleReaderServiceImpl's >>>> resolveRuleset(List<Rule> >>>> ruleList) >>>> <https://github.com/geoserver/geofence/blob/cdaee4ac2cc7a3f6dc692a2dec282f6667a4031e/src/services/core/services-impl/src/main/java/org/geoserver/geofence/services/RuleReaderServiceImpl.java#L303-L343> >>>> does nothing when a Rule has RuleLimits, boiling down to >>>> >>>> private AccessInfoInternal resolveRuleset(List<Rule> ruleList) { >>>> List<RuleLimits> limits = new ArrayList<>(); >>>> AccessInfoInternal ret = null; >>>> for (Rule rule : ruleList) { >>>> if(ret != null) >>>> break; >>>> switch(rule.getAccess()) { >>>> case LIMIT: >>>> RuleLimits rl = rule.getRuleLimits(); >>>> if(rl != null) >>>> limits.add(rl); >>>> break; >>>> .... >>>> } >>>> } >>>> return ret; >>>> } >>>> >>>> That is, adds the RuleLimits to the limits list, and then just returns >>>> null. >>>> >>>> Additionally, the following makes it build an AccessInfoInternal only >>>> for the first Rule in the ruleList: >>>> for (Rule rule : ruleList) { >>>> if(ret != null) >>>> break; >>>> >>>> Meaning that if more than one rule matched the filter, only the first >>>> one will be considered. >>>> >>>> My use case is an external system sets up rules for companies based on >>>> roles, which come from another system, and >>>> can have several rules per company with different allowed areas, for >>>> all layers. Ideally, I shouldn't need to merge these >>>> areas in order to create a single rule, but have them match the >>>> external system's. >>>> >>>> I've a patch [1] that makes both consider the RuleLimits and all the >>>> matching rules >>>> in resolveRuleset(List<Rule> ruleList) argument. >>>> >>>> [1] >>>> https://github.com/groldan/geofence/commit/5290c1760746f4e93ff4915c9e80a19a09e433be >>>> >>>> With it, I can set up two Rules with different allowed areas, both for >>>> all layers, and have them applied as expected (or as I understand it's >>>> expected). The following image is a layer preview of tiger_roads with both >>>> rules applied: >>>> >>>> [image: image.png] >>>> >>>> So, is my understanding correct and can I proceed to issue a PR? >>>> >>>> Cheers, >>>> >>>> -- >>>> Gabriel Roldán >>>> _______________________________________________ >>>> Geoserver-devel mailing list >>>> Geoserver-devel@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>>> >>> >>> >>> -- >>> >>> Regards, >>> >>> Andrea Aime >>> >>> == >>> GeoServer Professional Services from the experts! >>> >>> Visit http://bit.ly/gs-services-us for more information. >>> == >>> >>> Ing. Andrea Aime >>> @geowolf >>> Technical Lead >>> >>> GeoSolutions Group >>> phone: +39 0584 962313 >>> >>> fax: +39 0584 1660272 >>> >>> mob: +39 339 8844549 >>> >>> https://www.geosolutionsgroup.com/ >>> >>> http://twitter.com/geosolutions_it >>> >>> ------------------------------------------------------- >>> >>> Con riferimento alla normativa sul trattamento dei dati personali (Reg. >>> UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>> precisa che ogni circostanza inerente alla presente email (il suo >>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >>> >>> This email is intended only for the person or entity to which it is >>> addressed and may contain information that is privileged, confidential or >>> otherwise protected from disclosure. We remind that - as provided by >>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >>> e-mail or the information herein by anyone other than the intended >>> recipient is prohibited. If you have received this email by mistake, please >>> notify us immediately by telephone or e-mail >>> >> >> >> -- >> >> Regards, >> >> Andrea Aime >> >> == >> GeoServer Professional Services from the experts! >> >> Visit http://bit.ly/gs-services-us for more information. >> == >> >> Ing. Andrea Aime >> @geowolf >> Technical Lead >> >> GeoSolutions Group >> phone: +39 0584 962313 >> >> fax: +39 0584 1660272 >> >> mob: +39 339 8844549 >> >> https://www.geosolutionsgroup.com/ >> >> http://twitter.com/geosolutions_it >> >> ------------------------------------------------------- >> >> Con riferimento alla normativa sul trattamento dei dati personali (Reg. >> UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >> precisa che ogni circostanza inerente alla presente email (il suo >> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >> >> This email is intended only for the person or entity to which it is >> addressed and may contain information that is privileged, confidential or >> otherwise protected from disclosure. We remind that - as provided by >> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >> e-mail or the information herein by anyone other than the intended >> recipient is prohibited. If you have received this email by mistake, please >> notify us immediately by telephone or e-mail >> > > > -- > Gabriel Roldán > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- Regards, Emanuele Tajariol == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Emanuele Tajariol Technical Lead GeoSolutions Group mobile: +39 347 7895230 office: +39 0584 962313 fax: +39 0584 1660272 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
