Mercurial > hg > orthanc-authorization

diff Plugin/DefaultAuthorizationParser.cpp @ 77:94a9484d7f8f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix security issues allowing to browse remote dicom servers + introduced UnitTests
author Alain Mazy <am@osimis.io>
date Wed, 15 Mar 2023 16:36:42 +0100
parents 1a13c4fbc9a1
children 0ffad746a16b
line wrap: on
line diff
--- a/Plugin/DefaultAuthorizationParser.cpp	Thu Mar 09 14:37:52 2023 +0100
+++ b/Plugin/DefaultAuthorizationParser.cpp	Wed Mar 15 16:36:42 2023 +0100
@@ -50,7 +50,7 @@
       "^" + tmp + "/studies/([.0-9]+)/series/([.0-9]+)/instances/([.0-9]+)(|/|/frames/.*)$");
 
     dicomWebQidoRsFind_ = boost::regex(
-      "^" + tmp + "/(studies|series|instances)\?(.*)$");
+      "^" + tmp + "/(studies|series|instances)$");
   }
 
 
@@ -134,40 +134,46 @@
     }
     else if (boost::regex_match(uri, what, dicomWebQidoRsFind_))
     {
-      std::string studyInstanceUid, seriesInstanceUid, sopInstanceUid;
+      std::string studyInstanceUid, seriesInstanceUid, sopInstanceUid, patientId;
 
       studyInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000D", "");
       seriesInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000E", "");
       sopInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "00080018", "");
+      patientId = Orthanc::HttpToolbox::GetArgument(getArguments, "00100010", "");
 
       if (!sopInstanceUid.empty() && !seriesInstanceUid.empty() && !studyInstanceUid.empty())
       {
         AddDicomInstance(target, studyInstanceUid, seriesInstanceUid, sopInstanceUid);
+        return true;
       }
       else if (!seriesInstanceUid.empty() && !studyInstanceUid.empty())
       {
         AddDicomSeries(target, studyInstanceUid, seriesInstanceUid);
+        return true;
       }
       else if (!studyInstanceUid.empty())
       {
         AddDicomStudy(target, studyInstanceUid);
+        return true;
       }
-      return true;
+      else if (!patientId.empty())
+      {
+        AddDicomPatient(target, patientId);
+        return true;
+      }
     }
-    else
-    {
-      // Unknown type of resource: Consider it as a system access
+
+    // Unknown type of resource: Consider it as a system access
 
-      // Remove the trailing slashes if need be
-      std::string s = uri;
-      while (!s.empty() &&
-             s[s.length() - 1] == '/')
-      {
-        s = s.substr(0, s.length() - 1);
-      }
-          
-      target.push_back(AccessedResource(AccessLevel_System, s, ""));
-      return true;
-    }        
+    // Remove the trailing slashes if need be
+    std::string s = uri;
+    while (!s.empty() &&
+            s[s.length() - 1] == '/')
+    {
+      s = s.substr(0, s.length() - 1);
+    }
+        
+    target.push_back(AccessedResource(AccessLevel_System, s, ""));
+    return true;
   }
 }