Mercurial > hg > orthanc-authorization
comparison Plugin/Plugin.cpp @ 202:3c56c3f0059a default tip
Fix forbidden access when the PatientID and StudyInstanceUID are identical
| author | Alain Mazy <am@orthanc.team> |
|---|---|
| date | Mon, 23 Sep 2024 12:43:33 +0200 |
| parents | 21abcb97ff3c |
| children |
comparison
equal
deleted
inserted
replaced
| 201:8c79c3b026ce | 202:3c56c3f0059a |
|---|---|
| 669 } | 669 } |
| 670 | 670 |
| 671 return true; | 671 return true; |
| 672 } | 672 } |
| 673 | 673 |
| 674 void GetStudyOrthancIdFromStudyInstanceUID(std::vector<std::string>& studyOrthancIds, const std::string& studyInstanceUID) | |
| 675 { | |
| 676 studyOrthancIds.clear(); | |
| 677 Json::Value response; | |
| 678 if (OrthancPlugins::RestApiPost(response, "/tools/lookup", studyInstanceUID, false)) | |
| 679 { | |
| 680 for (Json::ArrayIndex i = 0; i < response.size(); ++i) | |
| 681 { | |
| 682 if (response[i]["Type"] == "Study") | |
| 683 { | |
| 684 studyOrthancIds.push_back(response[i]["ID"].asString()); | |
| 685 } | |
| 686 } | |
| 687 } | |
| 688 } | |
| 689 | |
| 674 void ToolsFind(OrthancPluginRestOutput* output, | 690 void ToolsFind(OrthancPluginRestOutput* output, |
| 675 const char* /*url*/, | 691 const char* /*url*/, |
| 676 const OrthancPluginHttpRequest* request) | 692 const OrthancPluginHttpRequest* request) |
| 677 { | 693 { |
| 678 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); | 694 OrthancPluginContext* context = OrthancPlugins::GetGlobalContext(); |
| 717 { | 733 { |
| 718 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); | 734 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); |
| 719 } | 735 } |
| 720 | 736 |
| 721 // since this is a series/instance find, make sure the user has access to the parent study | 737 // since this is a series/instance find, make sure the user has access to the parent study |
| 722 Json::Value studyOrthancIds; | 738 std::vector<std::string> studyOrthancIds; |
| 723 if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false)) | 739 GetStudyOrthancIdFromStudyInstanceUID(studyOrthancIds, studyInstanceUID); |
| 724 { | 740 |
| 725 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query."); | 741 if (studyOrthancIds.size() != 1) |
| 726 } | |
| 727 else if (studyOrthancIds.size() != 1) | |
| 728 { | 742 { |
| 729 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); | 743 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); |
| 730 } | 744 } |
| 731 | 745 |
| 732 bool granted = false; | 746 bool granted = false; |
| 755 if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) | 769 if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) |
| 756 { | 770 { |
| 757 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); | 771 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); |
| 758 } | 772 } |
| 759 | 773 |
| 760 Json::Value studyOrthancIds; | 774 std::vector<std::string> studyOrthancIds; |
| 761 if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false)) | 775 GetStudyOrthancIdFromStudyInstanceUID(studyOrthancIds, studyInstanceUID); |
| 762 { | 776 |
| 763 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query."); | 777 if (studyOrthancIds.size() != 1) |
| 764 } | |
| 765 else if (studyOrthancIds.size() != 1) | |
| 766 { | 778 { |
| 767 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); | 779 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast<std::string>(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); |
| 768 } | 780 } |
| 769 | 781 |
| 770 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request | 782 std::vector<TokenAndValue> authTokens; // the tokens that are set in this request |
| 771 GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues); | 783 GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues); |
| 772 | 784 |
| 773 std::set<std::string> labels; | 785 std::set<std::string> labels; |
| 774 OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrthancIds[0]["ID"].asString(), studyInstanceUID, labels); | 786 OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrthancIds[0], studyInstanceUID, labels); |
| 775 if (!IsResourceAccessGranted(authTokens, request->method, accessedResource)) | 787 if (!IsResourceAccessGranted(authTokens, request->method, accessedResource)) |
| 776 { | 788 { |
| 777 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query."); | 789 throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query."); |
| 778 } | 790 } |
| 779 | 791 |