Merge pull request #874 from MerginMaps/dev-2026.2.0

MarcelGeo · web-flow · commit 88a3fe8772d9 · 2026-02-20T16:53:26.000+01:00
Release 2026.2.0
diff --git a/.github/workflows/packages.yml b/.github/workflows/packages.yml
@@ -10,11 +10,11 @@ on:
         type: string
       REQUESTED_GEODIFF_VER:
         description: 'Geodiff version'
-        default: '2.1.2'
+        default: '2.2.0'
         type: string
 env:
   PYTHON_API_CLIENT_VER: ${{ inputs.REQUESTED_PYTHON_API_CLIENT_VER || '0.12.2' }}
-  GEODIFF_VER:  ${{ inputs.REQUESTED_GEODIFF_VER || '2.1.2' }}
+  GEODIFF_VER:  ${{ inputs.REQUESTED_GEODIFF_VER || '2.2.0' }}
   PYTHON_VER: "38"
 jobs:
   build_linux_binary:
@@ -61,17 +61,11 @@ jobs:
         run: |
           choco install unzip
 
-      - name: Download pygeodiff 32 binaries
-        run: |
-          pip3 download --only-binary=:all: --no-deps --platform "win32" --python-version $env:PYTHON_VER pygeodiff==$env:GEODIFF_VER
-          unzip -o pygeodiff-$env:GEODIFF_VER-cp$env:PYTHON_VER-cp$env:PYTHON_VER-win32.whl -d tmp32
-          mkdir pygeodiff-binaries
-          copy tmp32\pygeodiff\*.pyd pygeodiff-binaries\
-
       - name: Download pygeodiff 64 binaries
         run: |
           pip3 download --only-binary=:all: --no-deps --platform "win_amd64" --python-version $env:PYTHON_VER pygeodiff==$env:GEODIFF_VER
           unzip -o pygeodiff-$env:GEODIFF_VER-cp$env:PYTHON_VER-cp$env:PYTHON_VER-win_amd64.whl -d tmp64
+          mkdir pygeodiff-binaries
           copy tmp64\pygeodiff\*.pyd pygeodiff-binaries\
 
       - uses: actions/upload-artifact@v4
diff --git a/Mergin/plugin.py b/Mergin/plugin.py
@@ -43,7 +43,6 @@
     icon_path,
     mm_symbol_path,
     mergin_project_local_path,
-    PROJS_PER_PAGE,
     remove_project_variables,
     set_qgis_project_mergin_variables,
     unsaved_project_check,
@@ -55,6 +54,7 @@
     AuthTokenExpiredError,
     set_qgsexpressionscontext,
     get_authcfg,
+    AuthSync,
 )
 
 from .mergin.merginproject import MerginProject
@@ -478,6 +478,7 @@ def create_new_project(self):
 
     def current_project_sync(self):
         """Synchronise current Mergin Maps project."""
+        AuthSync().export_auth(self.mc)
         self.manager.project_status(self.mergin_proj_dir)
 
     def find_project(self):
@@ -551,6 +552,8 @@ def add_context_menu_actions(self, layers):
                 self.iface.addCustomActionForLayer(self.action_export_mbtiles, l)
 
     def unload(self):
+        from .utils import pygeodiff
+
         if self.iface is not None:
             # Disconnect Mergin related signals
             self.iface.projectRead.disconnect(self.on_qgis_project_changed)
@@ -576,6 +579,8 @@ def unload(self):
         QgsExpressionContextUtils.removeGlobalVariable("mm_user_email")
         QgsApplication.instance().dataItemProviderRegistry().removeProvider(self.data_item_provider)
         self.data_item_provider = None
+        # unload pygeodiff to avoid .pyd to be write-protected and thus impossible to delete on Windows
+        pygeodiff.shutdown()
         # this is crashing qgis on exit
         # self.iface.browserModel().reload()
 
diff --git a/Mergin/projects_manager.py b/Mergin/projects_manager.py
@@ -36,12 +36,13 @@
     UnsavedChangesStrategy,
     write_project_variables,
     bytes_to_human_size,
+    is_file_changed,
     get_push_changes_batch,
     SYNC_ATTEMPTS,
     SYNC_ATTEMPT_WAIT,
     push_error_message,
 )
-from .utils_auth import get_stored_mergin_server_url
+from .utils_auth import AuthSync, AUTH_CONFIG_FILENAME
 
 from .mergin.merginproject import MerginProject
 from .project_status_dialog import ProjectStatusDialog
@@ -73,6 +74,9 @@ def open_project(self, project_dir):
 
         qgis_files = find_qgis_files(project_dir)
         if len(qgis_files) == 1:
+            # singleton project object is not in the interface yet, we need to pass the qgis file to retrieve the project id
+            AuthSync(qgis_files[0]).import_auth()
+
             iface.addProject(qgis_files[0])
             if self.mc.has_unfinished_pull(project_dir):
                 widget = iface.messageBar().createMessage(
@@ -438,12 +442,17 @@ def sync_project(self, project_dir, project_name=None):
 
             if dlg.pull_conflicts:
                 self.report_conflicts(dlg.pull_conflicts)
+                if is_file_changed(pull_changes, AUTH_CONFIG_FILENAME):
+                    AuthSync().import_auth()
                 return
 
             if not dlg.is_complete:
                 # we were cancelled
                 return
 
+            if is_file_changed(pull_changes, AUTH_CONFIG_FILENAME):
+                AuthSync().import_auth()
+
             dlg = SyncDialog()
             dlg.labelStatus.setText("Preparing project upload...")
             dlg.push_start(self.mc, project_dir, project_name)
@@ -493,6 +502,7 @@ def sync_project(self, project_dir, project_name=None):
             if not dlg.is_complete:
                 # we were cancelled
                 return
+
             _, has_push_changes = get_push_changes_batch(self.mc, project_dir)
             error_retries_attempts = 0
             if not has_push_changes:
diff --git a/Mergin/utils.py b/Mergin/utils.py
@@ -4,7 +4,7 @@
 import shutil
 from datetime import datetime, timezone
 from enum import Enum
-from typing import Any
+from typing import Any, Dict, List
 from urllib.error import URLError, HTTPError
 import configparser
 import os
@@ -1063,11 +1063,8 @@ def mm_symbol_path():
 
 def check_mergin_subdirs(directory):
     """Check if the directory has a Mergin Maps project subdir (.mergin)."""
-    for root, dirs, files in os.walk(directory):
-        for name in dirs:
-            if name == ".mergin":
-                return os.path.join(root, name)
-    return False
+    mergin_dir = os.path.join(directory, ".mergin")
+    return mergin_dir if os.path.isdir(mergin_dir) else False
 
 
 def is_number(s):
@@ -1728,6 +1725,11 @@ def escape_html_minimal(s: str) -> str:
     return s
 
 
+def is_file_changed(changes: Dict[str, List[dict]], filename: str) -> bool:
+    """Check whether a file is added or updated"""
+    return any(f.get("path") == filename for key in ["added", "updated"] for f in changes.get(key, []))
+
+
 def sanitize_path(expr: str) -> str:
     if not expr:
         return expr
diff --git a/Mergin/utils_auth.py b/Mergin/utils_auth.py
@@ -1,4 +1,9 @@
-import datetime
+# GPLv3 license
+# Copyright Lutra Consulting Limited
+
+import hashlib
+import os
+import re
 import typing
 import uuid
 import json
@@ -14,16 +19,23 @@
     QgsNetworkAccessManager,
     QgsExpressionContextUtils,
     Qgis,
+    QgsProject,
+    QgsProviderRegistry,
 )
 from qgis.PyQt.QtCore import QSettings, QUrl
 from qgis.PyQt.QtNetwork import QNetworkRequest
+from qgis.PyQt.QtWidgets import QMessageBox
 
 from .mergin.client import MerginClient, ServerType, AuthTokenExpiredError
 from .mergin.common import ClientError, LoginError
+from .mergin.merginproject import MerginProject
 
 from .utils import MERGIN_URL, get_qgis_proxy_config, get_plugin_version
 
 
+AUTH_CONFIG_FILENAME = "qgis_cfg.xml"
+
+
 class LoginType(Enum):
     """Types of login supported by Mergin Maps."""
 
@@ -552,3 +564,129 @@ def qgis_support_sso() -> bool:
     """
     # QGIS 3.40+ supports SSO
     return Qgis.versionInt() >= 34000
+
+
+class AuthSync:
+    def __init__(self, qgis_file=None):
+        if qgis_file is None:
+            self.project = QgsProject.instance()
+        else:
+            self.project = QgsProject()
+            self.project.read(qgis_file)
+        self.project_path = self.project.homePath()
+        self.auth_file = os.path.join(self.project_path, AUTH_CONFIG_FILENAME)
+        self.mp = MerginProject(self.project_path)
+        self.project_id = self.mp.project_id()
+        self.auth_mngr = QgsApplication.authManager()
+
+    def get_layers_auth_ids(self) -> typing.List[str]:
+        """Get the auth config IDs of the protected layers in the current project."""
+        auth_ids = set()
+        reg = QgsProviderRegistry.instance()
+        for layer in self.project.mapLayers().values():
+            source = layer.source()
+            prov_type = layer.providerType()
+            decoded_uri = reg.decodeUri(prov_type, source)
+            auth_id = decoded_uri.get("authcfg")
+            if auth_id:
+                auth_ids.add(auth_id)
+        return list(auth_ids)
+
+    def get_auth_config_hash(self, auth_ids: typing.List[str]) -> str:
+        """
+        Generates a stable hash from the decrypted content of the given auth IDs.
+        This allows us to detect config changes regardless of random encryption salts in the encrypted XML file.
+        """
+        sorted_ids = sorted(auth_ids)
+
+        hasher = hashlib.sha256()
+
+        for auth_id in sorted_ids:
+            config = QgsAuthMethodConfig()
+            if not self.auth_mngr.loadAuthenticationConfig(auth_id, config, True):  # True to decrypt full details
+                self.mp.log.error(f"Failed to load the authentication config for the auth ID: {auth_id}")
+                continue
+
+            header_data = f"{config.id()}|{config.method()}|{config.uri()}"
+            hasher.update(header_data.encode("utf-8"))
+
+            config_map = config.configMap()
+            for key in sorted(config_map.keys()):
+                entry = f"|{key}={config_map[key]}"
+                hasher.update(entry.encode("utf-8"))
+
+        return hasher.hexdigest()
+
+    def export_auth(self, client) -> None:
+        """Export auth DB credentials for protected layers if they have changed"""
+
+        # permission check - auth config .xml file can be modified from the writer role above
+        project_info = client.project_info(self.mp.project_full_name())
+        role = project_info.get("role")
+        if not (role and role in ("writer", "owner")):
+            return
+
+        referenced_ids = self.get_layers_auth_ids()
+        available_ids = self.auth_mngr.configIds()
+        auth_ids = [aid for aid in referenced_ids if aid in available_ids]
+        if not auth_ids:
+            if os.path.exists(self.auth_file):
+                os.remove(self.auth_file)
+            return
+
+        if not self.auth_mngr.masterPasswordIsSet():
+            self.mp.log.warning("Master Password not set. Cannot export auth configs.")
+            msg = "Failed to export authentication configuration. If you want to share the credentials of the protected layer(s), set the master password please."
+            QMessageBox.warning(
+                None, "Cannot export configuration for protected layer", msg, QMessageBox.StandardButton.Close
+            )
+            return
+
+        current_hash = self.get_auth_config_hash(auth_ids)
+
+        # Compare current hash with the hash in the existing file
+        file_exists = os.path.exists(self.auth_file)
+        if file_exists:
+            with open(self.auth_file, "r", encoding="utf-8") as f:
+                content = f.read()
+                pattern = r"<!--\s*HASH:\s*([A-Za-z0-9]+)\s*-->"
+                match = re.search(pattern, content)
+                if match:
+                    existing_hash = match.group(1)
+                    if existing_hash == current_hash:
+                        self.mp.log.info("No change in auth config. No update needed.")
+                        return
+                    else:
+                        self.mp.log.info("Auth config file change detected. Updating file...")
+                else:
+                    self.mp.log.warning("No hash found in existing config file. Creating one...")
+
+        # Export and inject hash
+        temp_file = os.path.join(self.project_path, f"temp_{AUTH_CONFIG_FILENAME}")
+
+        ok = self.auth_mngr.exportAuthenticationConfigsToXml(temp_file, list(auth_ids), self.project_id)
+
+        if ok:
+            with open(temp_file, "r", encoding="utf-8") as f:
+                xml_content = f.read()
+
+            hashed_content = xml_content + f"\n<!-- HASH: {current_hash} -->"
+
+            with open(self.auth_file, "w", encoding="utf-8") as f:
+                f.write(hashed_content)
+
+            if os.path.exists(temp_file):
+                os.remove(temp_file)
+
+    def import_auth(self) -> None:
+        """Import credentials for protected layers"""
+
+        if os.path.isfile(self.auth_file):
+            if not self.auth_mngr.masterPasswordIsSet():
+                self.mp.log.warning("Master password is not set. Could not import auth config.")
+                user_msg = "Could not import authentication configuration for the protected layer(s). Set the master password and reload the project if you want to access the protected layer(s)."
+                QMessageBox.warning(None, "Could not load protected layer", user_msg, QMessageBox.StandardButton.Close)
+                return
+
+            ok = self.auth_mngr.importAuthenticationConfigsFromXml(self.auth_file, self.project_id, overwrite=True)
+            self.mp.log.info(f"QGIS auth imported: {ok}")
