Mercurial > hg > orthanc-authorization
comparison Plugin/Plugin.cpp @ 202:3c56c3f0059a default tip
Fix forbidden access when the PatientID and StudyInstanceUID are identical
author | Alain Mazy <am@orthanc.team> |
---|---|
date | Mon, 23 Sep 2024 12:43:33 +0200 |
parents | 21abcb97ff3c |
children |
comparison
equal
deleted
inserted
replaced
201:8c79c3b026ce | 202:3c56c3f0059a |
---|---|
669 } | 669 } |
670 | 670 |
671 return true; | 671 return true; |
672 } | 672 } |
673 | 673 |
674 void GetStudyOrthancIdFromStudyInstanceUID(std::vector<std::string>& studyOrthancIds, const std::string& studyInstanceUID) | |
675 { | |
676 studyOrthancIds.clear(); | |
677 Json::Value response; | |
678 if (OrthancPlugins::RestApiPost(response, "/tools/lookup", studyInstanceUID, false)) | |
679 { | |
680 for (Json::ArrayIndex i = 0; i < response.size(); ++i) | |
681 { | |
682 if (response[i]["Type"] == "Study") | |
683 { | |
684 studyOrthancIds.push_back(response[i]["ID"].asString()); | |
685 } | |
686 } | |
687 } | |
688 } | |
689 | |
674 void ToolsFind(OrthancPluginRestOutput* output, | 690 void ToolsFind(OrthancPluginRestOutput* output, |
675 const char* /*url*/, | 691 const char* /*url*/, |
676 const OrthancPluginHttpRequest* request) | 692 const OrthancPluginHttpRequest* request) |
677 { | 693 { |
678 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); | 694 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); |
717 { | 733 { |
718 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); | 734 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); |
719 } | 735 } |
720 | 736 |
721 // since this is a series/instance find, make sure the user has access to the parent study | 737 // since this is a series/instance find, make sure the user has access to the parent study |
722 Json::Value studyOrthancIds; | 738 std::vector<std::string> studyOrthancIds; |
723 if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false)) | 739 GetStudyOrthancIdFromStudyInstanceUID(studyOrthancIds, studyInstanceUID); |
724 { | 740 |
725 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query."); | 741 if (studyOrthancIds.size() != 1) |
726 } | |
727 else if (studyOrthancIds.size() != 1) | |
728 { | 742 { |
729 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); | 743 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); |
730 } | 744 } |
731 | 745 |
732 bool granted = false; | 746 bool granted = false; |
755 if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) | 769 if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) |
756 { | 770 { |
757 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); | 771 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); |
758 } | 772 } |
759 | 773 |
760 Json::Value studyOrthancIds; | 774 std::vector<std::string> studyOrthancIds; |
761 if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false)) | 775 GetStudyOrthancIdFromStudyInstanceUID(studyOrthancIds, studyInstanceUID); |
762 { | 776 |
763 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query."); | 777 if (studyOrthancIds.size() != 1) |
764 } | |
765 else if (studyOrthancIds.size() != 1) | |
766 { | 778 { |
767 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); | 779 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); |
768 } | 780 } |
769 | 781 |
770 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request | 782 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request |
771 GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues); | 783 GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues); |
772 | 784 |
773 std::set<std::string> labels; | 785 std::set<std::string> labels; |
774 OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrthancIds[0]["ID"].asString(), studyInstanceUID, labels); | 786 OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrthancIds[0], studyInstanceUID, labels); |
775 if (!IsResourceAccessGranted(authTokens, request->method, accessedResource)) | 787 if (!IsResourceAccessGranted(authTokens, request->method, accessedResource)) |
776 { | 788 { |
777 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query."); | 789 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query."); |
778 } | 790 } |
779 | 791 |