Mercurial > hg > orthanc-authorization

diff Plugin/Plugin.cpp @ 196:55760c465c3a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix wrong access to POST /instances that was considered as a resource list
author Alain Mazy <am@orthanc.team>
date Mon, 24 Jun 2024 18:28:16 +0200
parents 2f1e872e8eaa
children 21abcb97ff3c
line wrap: on
line diff
--- a/Plugin/Plugin.cpp	Fri Jun 14 16:31:58 2024 +0200
+++ b/Plugin/Plugin.cpp	Mon Jun 24 18:28:16 2024 +0200
@@ -149,6 +149,7 @@
 
 static bool CheckAuthorizedLabelsForResource(bool& granted,
                                              const std::string& uri,
+                                             OrthancPluginHttpMethod method,
                                              const OrthancPlugins::AssociativeArray& getArguments,
                                              const OrthancPlugins::IAuthorizationService::UserProfile& profile)
 {
@@ -171,7 +172,7 @@
       return false;  // Unable to parse this URI, we could not check labels
     }
 
-    if (authorizationParser_->IsListOfResources(uri))
+    if (authorizationParser_->IsListOfResources(uri) && method == OrthancPluginHttpMethod_Get)
     {
       granted = false;  // if a user does not have access to all labels, he can not have access to a list of resources
       return true; // we could check labels
@@ -360,7 +361,7 @@
               msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'";
 
               bool hasAuthorizedLabelsForResource = false;
-              if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile))
+              if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, method, getArguments, profile))
               {
                 if (hasAuthorizedLabelsForResource)
                 {