Mercurial > hg > orthanc-authorization
diff Plugin/Plugin.cpp @ 165:99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
author | Alain Mazy <am@orthanc.team> |
---|---|
date | Mon, 29 Apr 2024 12:50:24 +0200 |
parents | 4f5c7acb626f |
children | 3c99bb6fd309 |
line wrap: on
line diff
--- a/Plugin/Plugin.cpp Thu Apr 25 15:30:24 2024 +0200 +++ b/Plugin/Plugin.cpp Mon Apr 29 12:50:24 2024 +0200 @@ -707,12 +707,13 @@ { std::string studyInstanceUID; - if (!HasAccessToAllLabels(profile) && !GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + if (!HasAccessToAllLabels(profile)) // no need to adjust anything if the user has access to all labels { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); - } - else - { + if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + { + throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); + } + // since this is a series/instance find, make sure the user has access to the parent study Json::Value studyOrthancIds; if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false))