What is the bug? (in English)
The export button in the Form Filter panel is displayed and functional for all users, even when export permissions are restricted to specific groups (e.g. admins) in both:
the repository settings (Allow export of vector layers → admins only), as configured in the Lizmap administration panel
the attribute layer configuration (Export allowed groups → admins only), as configured in the Lizmap QGIS plugin
The button should only be visible and usable for users belonging to the allowed groups. When accessing the map as an anonymous (non-logged-in) user, the export button is still displayed and functional in the Form Filter panel.
Steps to reproduce the issue
In the Lizmap administration panel, set Allow export of vector layers to admins only for the repository
In the QGIS Lizmap plugin, configure the attribute layer with Export enabled = checked and Export allowed groups = admins
Save the QGIS project and upload the updated .qgs and .cfg files to the server
Open the map in a browser without logging in (anonymous user)
Open the Form Filter panel and apply a filter on the configured layer
Observe that the Export button is visible and functional despite the restrictions set in steps 1 and 2
Expected behavior:
The Export button should not be visible for anonymous users or any user not belonging to the admins group.
Actual behavior:
The Export button is visible and functional for all users regardless of the configured export permissions.
See example https://cx21-9.webgis.biz
Versions, safeguards, check summary etc
Versions :
- Lizmap Web Client : 3.9.6 - commit 798ef24 798ef2468
- Lizmap plugin : 5.0.0-alpha.3+pre
- QGIS Desktop : 3.44.8
- QGIS Server : 3.44.8
- Py-QGIS-Server or QJazz : not used
- QGIS Server plugin atlasprint : 3.4.3
- QGIS Server plugin lizmap_server : 2.14.1
- QGIS Server plugin wfsOutputExtension : 1.8.3
List of Lizmap Web Client modules :
* Version Lizmap Web Client 3.8 needed
List of safeguards :
* Mode : normal
* Allow parent folder : yes
* Number of parent : 4 folder(s)
* Prevent other drive : no
* Prevent PG service : no
* Prevent PG Auth DB : no
* Force PG user&pass : no
* Prevent ECW : yes
Check Lizmap plugin
Operating system
Ubuntu 24.04
Browsers
Chrome
Browsers version
146.0.7680.80
Relevant log output
Note: This is not a log output but a code analysis identifying the root cause.
The issue was identified by inspecting filter.js and Project.php.
In Project.php, the export permission check works correctly. It evaluates
export_allowed_groups against the current user's groups and writes the result
into the project configuration:
$attributeLayer->export_enabled = $layerExportEnabled ? 'True' : 'False';
However, in filter.js, the export button is rendered based solely on whether
the ODS format is available — without checking the export_enabled flag:
lizMap.mainLizmap.initialConfig.vectorLayerResultFormat.includes("ODS")
&& (e += '<button id="liz-filter-export"...');
Suggested fix: Additionally check export_enabled from lizMap.config.attributeLayers:
const layerName = globalThis.filterConfigData.layerName;
const exportEnabled = lizMap.config.attributeLayers?.[layerName]?.exportEnabled === 'True';
lizMap.mainLizmap.initialConfig.vectorLayerResultFormat.includes("ODS")
&& exportEnabled // missing check
&& (e += '<button id="liz-filter-export"...');
What is the bug? (in English)
The export button in the Form Filter panel is displayed and functional for all users, even when export permissions are restricted to specific groups (e.g. admins) in both:
the repository settings (Allow export of vector layers → admins only), as configured in the Lizmap administration panel
the attribute layer configuration (Export allowed groups → admins only), as configured in the Lizmap QGIS plugin
The button should only be visible and usable for users belonging to the allowed groups. When accessing the map as an anonymous (non-logged-in) user, the export button is still displayed and functional in the Form Filter panel.
Steps to reproduce the issue
In the Lizmap administration panel, set Allow export of vector layers to admins only for the repository
In the QGIS Lizmap plugin, configure the attribute layer with Export enabled = checked and Export allowed groups = admins
Save the QGIS project and upload the updated .qgs and .cfg files to the server
Open the map in a browser without logging in (anonymous user)
Open the Form Filter panel and apply a filter on the configured layer
Observe that the Export button is visible and functional despite the restrictions set in steps 1 and 2
Expected behavior:
The Export button should not be visible for anonymous users or any user not belonging to the admins group.
Actual behavior:
The Export button is visible and functional for all users regardless of the configured export permissions.
See example https://cx21-9.webgis.biz
Versions, safeguards, check summary etc
Versions :
List of Lizmap Web Client modules :
* Version Lizmap Web Client 3.8 needed
List of safeguards :
* Mode : normal
* Allow parent folder : yes
* Number of parent : 4 folder(s)
* Prevent other drive : no
* Prevent PG service : no
* Prevent PG Auth DB : no
* Force PG user&pass : no
* Prevent ECW : yes
Check Lizmap plugin
Operating system
Ubuntu 24.04
Browsers
Chrome
Browsers version
146.0.7680.80
Relevant log output