Mercurial > hg > orthanc-authorization
view NEWS @ 165:99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
author | Alain Mazy <am@orthanc.team> |
---|---|
date | Mon, 29 Apr 2024 12:50:24 +0200 |
parents | 12f23fcf3ba6 |
children | e406ef204e3a |
line wrap: on
line source
Pending changes in the mainline =============================== * Fix wrong forbidden access to /dicom-web/studies/../series for users who had "authorized_labels"=="*" 2024-03-25 - v 0.7.1 ==================== * Added missing parsing of /dicom-web/studies/.../instances * Clarification: the "authorized_labels" field of the user profile is actually a list of studies authorized labels ! * The tools/find has been updated to take this into account and will possibly refuse to perform tools/find at instance or series level if there is no StudyInstanceUID in the query. This fixes forbidden access to e.g. /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels. * The GET argument tokens are now also added as HTTP headers in the query to the auth-service (this was already done only for Header tokens). * The default permissions have been updated to handle /system & /plugins/... 2024-02-16 - v 0.7.0 ==================== * Added new default permissions "SINGLE_RESOURCE_PATTERNS" and reorganized the permissions accordingly. This notably facilitate accessing a single resource with a user token. The plugins first check that the user has the right permissions to access the route and then, the plugins check if the study has one of the authorized_labels of the user. This notably improves user token handling outside of OE2 e.g when using api-key. 2023-12-19 - v 0.6.2 ==================== * Now handling new GET /tools/create-archive and sibling routes. 2023-11-13 - v 0.6.1 ==================== * Updated default "Permissions" configuration to take the "/merge" routes into account. * Now overriding /tools/find and /tools/labels only if the auth-service is providing user profiles ("WebServiceUserProfileUrl" has been configured). 2023-09-18 - v 0.6.0 ==================== * Now handling permissions based on labels from a user profile: - filter the results from tools/find to grant access only to the authorized_labels from the user profile - grants access to resources (studies) based on their labels and the authorized_labels from the user profile. - check the https://github.com/orthanc-team/orthanc-auth-service sample project for more details * Added integration tests in the https://orthanc.uclouvain.be/hg/orthanc-tests/ repository. 2023-06-21 - v 0.5.3 ==================== * New standard configuration "ohif" * new default permissions for labels * Fix parsing of dicom-web/studies/../series/../instances/../bulk/.. routes 2023-05-15 - v 0.5.2 ==================== * Fix standard configuration "orthanc-explorer-2": consider the "token" Get arguments 2023-04-15 - v 0.5.1 ==================== * Added a default permission for /toolk/bulk-delete * Added a default permission for /changes * Added a default permission for /auth/tokens/ohif-viewer-publication * QIDO-RS now supports named tags in get arguments 2023-03-17 - v 0.5.0 ==================== * BREAKING-CHANGE: the API between the authorization plugin and the WebService has slightly changed. Check the samples in the README (TODO). - "identifier" has been renamed into "server-id" * new user-permission based authorization model. This is enabled if you define the new "WebServiceUserProfileUrl" configuration. * new "orthanc-explorer-2" StandardConfigurations * new GET "auth/user/profile" Rest API route to retrieve user permissions * new PUT "auth/tokens/{token-type}" Rest API route to create tokens * new POST "auth/tokens/decode" Rest API route to decode tokens * these 3 new routes required an updated auth-web-service. * SECURITY FIX: in prior versions, it was possible to browse remote dicom-web servers without being authenticated. (The API routes /dicom-web/servers/.../studies were unprotected). The local dicom-web server was correctly protected. 2022-11-16 - v 0.4.1 ==================== * fix: get argument values were transformed to lower case * the "osimis-web-viewer" StandardConfigurations now take into account the token get argument used when downloading a study from the UI 2022-11-10 - v 0.4.0 ==================== * new configuration option "CheckedLevel" that is clearer than "UncheckedLevels". "UncheckedLevels" remains for backward compatibility. Allowed values: "patients", "studies", "series", "instances" * new configuration option "StandardConfigurations" to replace multiple configurations. Allowed values: "osimis-web-viewer", "stone-webviewer" * added support for QIDO-RS query arguments (e.g: /dicom-web/studies?0020000D=1.2.3&...) * possible BREAKING_CHANGE: if "TokenHttpHeaders" is set to "Authorization" and if "WebServiceUsername" is defined, the "Authorization" header of the HTTP request sent to the auth-service will contain the basic auth info from WebServiceUsername and WebServicePassword. You should get the "Authorization" value from the token-value field of the payload sent to the auth-service. 2022-09-26 - v 0.3.0 ==================== * Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier. * The WebServiceIdentifier is now included in the payload sent to the WebService as the "identifier" field. 2022-05-13 - v 0.2.5 ==================== * Fix osimis-viewer route 2020-12-10 - v 0.2.4 ==================== * Added support for Osimis Web Viewer new route (osimis-viewer/custom-command/) * Support of dynamic linking against the system-wide Orthanc framework library 2018-08-13 - v 0.2.3 ==================== * Compatibility with Linux Standard Base * Now using the Orthanc framework 2018-07-19 - v 0.2.2 ==================== * Added automated build 2018-03-09 - v 0.2.1 ==================== * Upgraded sdk to 1.3.1 2018-03-08 - v 0.2.0 ==================== * Added support for Osimis Web Viewer 2017-03-22 ========== * Initial release