Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom js/php - add hash key for groups to make js group wise secure #4963

Open
r9zzai opened this issue Nov 9, 2024 · 3 comments
Open

Custom js/php - add hash key for groups to make js group wise secure #4963

r9zzai opened this issue Nov 9, 2024 · 3 comments
Labels
enhancement Sponsor or PR needed Either a PR or a sponsor is needed for this feature

Comments

@r9zzai
Copy link

r9zzai commented Nov 9, 2024

Add text input to admin panel what is main hash key. Then in lizmap webgis there should be a hash available in js like "hashkey+group". Use an easy hash function maybe the same as in jelix that hashes lizmap user passwords. That should make custom js/php group wise safe e.g. when you have a custom js in media/default.
@r9zzai r9zzai added enhancement Sponsor or PR needed Either a PR or a sponsor is needed for this feature labels Nov 9, 2024
@Gustry
Copy link
Member

Gustry commented Nov 12, 2024

Sorry, can you clarify what do you mean by "group" ?

@r9zzai
Copy link
Author

r9zzai commented Nov 12, 2024
edited
Loading

With group i mean lizmap group assignable per admin panel. In lizmap webgis there is only current logged in user available per js. With tables in lizmap_web_client the assigned groups for user can be evaluated. As lizmap maps are managed by groups instead of users (e.g. allow edition) it would be simplier to integrate group than i thought.

The intention is to make custom php a bit more safer to check which (user/)group does the request. In php the check is having a hashed key (main hash key+group) - unhash key - split unhashed to get group and check if group is assinged to project with repo id from url.

It is great that lizmap offers custom js. But with only js we cannot make custom php with secure backend because everything in js is published. To make hashkey method more safe the hashkey should be combined with current date so a gotten hashkey is only available one day.

@r9zzai r9zzai closed this as completed Nov 16, 2024
@r9zzai r9zzai reopened this Nov 16, 2024
@r9zzai
Copy link
Author

r9zzai commented Nov 23, 2024

To clarify why i asked the question. This is special because my server is devided in dockers. Lizmap and custom php are on different docker so i cannot access $_Session in php to verify current user with js user send to php. So the question is more concerned in the direction of an API with token. But i think that there are no other use cases than my special one.

To realize what i want i found following php to modify. Here just another assign can be made like "bcrypt custom key . actual date . User" e.g. "userhash".

lizmap-web-client/lizmap/modules/view/zones/map_headermenu.zone.php

Line 33 in 78cd828

$assign = array(

Then another id like "userhash" can be set here to get the userhash value in js

lizmap-web-client/lizmap/modules/lizmap/templates/user_menu.tpl

Line 14 in 78cd828

<span id="info-user-login" title="{$user->firstname} {$user->lastname}">{$user->login|eschtml}</span>

The gotten "userhash" value can be verified by using the same "custom key , actual date . sent js "user" which is already accessable by above tpl in js" in custom php. So there is an increased security on requests made from lizmap webgis to allowed internal/external websites.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Sponsor or PR needed Either a PR or a sponsor is needed for this feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Gustry @r9zzai