Allow user to create and read only his own projects (GLOBAL_READ/GLOBAL_WRITE/GLOBAL_ADMIN)
arno974 opened this issue · 2 comments
Hi Mergin Team,
I'm trying to set up my own Mergin Maps instance (Community Edition) as well as possible, and more specifically projects authorizations using :
GLOBAL_READ
GLOBAL_WRITE
GLOBAL_ADMIN
But I'm surprised by how Mergin Maps works reacting on the value of these variables.
For example, by setting all the variables to False, I expected the user to only have the right to create and view his own projects. However, with GLOBAL_WRITE
set to False
, the user cannot even create a project. In QGIS, I get the following error message: "You do not have permissions to create a project in this workspace" and in the web interface I don't have the button to create projects.
If I set the GLOBAL_WRITE
variable to True, the user can see all other users' projects, but I still get another error message when creating a project.
The only option that works for me to let users the ability to create projects is to set GLOBAL_ADMIN
to True
(I assume this is equivalent to GLOBAL_READ
and GLOBAL_WRITE
to True
). But then users can see and write to other users' projects.
Could you please help me to understand the role and impact of the GLOBAL_READ
, GLOBAL_WRITE
and GLOBAL_ADMIN
variables. In addition, what would be the correct configuration for authorizing a user to create his own projects and view only his own projects (or those shared with him)?
Thanks in advance for your help :)
Hi, the GLOBAL_*
permissions are ultimately used in this function https://github.com/MerginMaps/mergin/blob/ae0c164fe9b3bc9ad03c573b1c7ca52734f8616d/server/mergin/sync/workspace.py#L86 . You assign ALL users such role by default
To see what those roles effectively means is explained in https://merginmaps.com/docs/manage/permissions/#workspace-member-roles
So in CE, in if you set GLOBAL_READ=False
and GLOBAL_WRITE=False
and GLOBAL_ADMIN=False
, everyone will be guest. In that case, the super-admin can create a project and assign write to particular user.
So in the CE, it is not possible to have such permission setup you described.
in EE, you can let users to have their own workspaces, where they can see their projects or invite other members.
Thank you for this information !