hardcoded username and password in layer URI #179
Description
When I add layers from Browser it uses "authcfg=" in the URI - this is expected behaviour. However, when I add layers that have metadata in pgmetadata using locator, it hardcodes username and password in the URI and ignores autcfg settings. Since we use pgmetadata in multiuser environment this poses a big security issue for us. I tested with QGIS 3.40.9 and 3.44.1. I also tested with new database and new QGIS profile with fresh install of pgmetadata. My postgresql database is on version 17.5. I am connected to the postgresql database using authentication configuration.
In the past adding layers with locator worked as it should (with authcfg), but I don’t know exactly which QGIS/postgresql combination was the last one that worked. I tried to use copilot to modify locator.py file in the plugin, but had no success. Maybe it is an easy fix for someone with right knowledge.
Can someone else check for their configuration if they get valid URI with authconfig?
Examples (first one is expected URI, second one is URI generated by pgmetadata)
dbname='foo' host=localhost port=5432 sslmode=prefer authcfg=xyz_gis key='ko_id' estimatedmetadata=true srid=3794 type=MultiPolygon checkPrimaryKeyUnicity='1' table="public"."foo" (geom)
dbname='foo' host=localhost port=5432 sslmode=prefer user='joe' password='pass' key='ko_id' estimatedmetadata=true srid=3794 type=MultiPolygon checkPrimaryKeyUnicity='1' table="public"."foo" (geom)
We really need solution for this problem to keep using this great plugin that really make our work easier.