-
-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom js/php - add hash key for groups to make js group wise secure #4963
Comments
Sorry, can you clarify what do you mean by "group" ? |
With group i mean lizmap group assignable per admin panel. In lizmap webgis there is only current logged in user available per js. With tables in lizmap_web_client the assigned groups for user can be evaluated. As lizmap maps are managed by groups instead of users (e.g. allow edition) it would be simplier to integrate group than i thought. The intention is to make custom php a bit more safer to check which (user/)group does the request. In php the check is having a hashed key (main hash key+group) - unhash key - split unhashed to get group and check if group is assinged to project with repo id from url. It is great that lizmap offers custom js. But with only js we cannot make custom php with secure backend because everything in js is published. To make hashkey method more safe the hashkey should be combined with current date so a gotten hashkey is only available one day. |
To clarify why i asked the question. This is special because my server is devided in dockers. Lizmap and custom php are on different docker so i cannot access $_Session in php to verify current user with js user send to php. So the question is more concerned in the direction of an API with token. But i think that there are no other use cases than my special one. To realize what i want i found following php to modify. Here just another assign can be made like "bcrypt custom key . actual date . User" e.g. "userhash".
Then another id like "userhash" can be set here to get the userhash value in js
The gotten "userhash" value can be verified by using the same "custom key , actual date . sent js "user" which is already accessable by above tpl in js" in custom php. So there is an increased security on requests made from lizmap webgis to allowed internal/external websites. |
use Redis to store PHP session, so you can access to the same session from both containers, if your custom JS inside lizmap gives the session id to your custom php. |
Add text input to admin panel what is main hash key. Then in lizmap webgis there should be a hash available in js like "hashkey+group". Use an easy hash function maybe the same as in jelix that hashes lizmap user passwords. That should make custom js/php group wise safe e.g. when you have a custom js in media/default.
The text was updated successfully, but these errors were encountered: