view NEWS @ 165:99bdc05012c0

fix wrong forbidden access to dicom-web resources for users with access to all labels
author Alain Mazy <am@orthanc.team>
date Mon, 29 Apr 2024 12:50:24 +0200
parents 12f23fcf3ba6
children e406ef204e3a
line wrap: on
line source

Pending changes in the mainline
===============================

* Fix wrong forbidden access to /dicom-web/studies/../series for users who 
  had "authorized_labels"=="*"

2024-03-25 - v 0.7.1
====================

* Added missing parsing of /dicom-web/studies/.../instances
* Clarification: the "authorized_labels" field of the user profile
  is actually a list of studies authorized labels !  
* The tools/find has been updated to take this into account and will 
  possibly refuse to perform tools/find at instance or series level if there
  is no StudyInstanceUID in the query.
  This fixes forbidden access to e.g. /dicom-web/studies/../series/../instances/..
  on studies that have at least one authorized_labels.
* The GET argument tokens are now also added as HTTP headers in the query to the
  auth-service (this was already done only for Header tokens).
* The default permissions have been updated to handle /system & /plugins/...


2024-02-16 - v 0.7.0
====================

* Added new default permissions "SINGLE_RESOURCE_PATTERNS" and 
  reorganized the permissions accordingly.  
  This notably facilitate accessing a single resource with a user token.  
  The plugins first check that the user has the right permissions to access the route 
  and then, the plugins check if the study has one of the authorized_labels
  of the user.  This notably improves user token handling outside of OE2
  e.g when using api-key.


2023-12-19 - v 0.6.2
====================

* Now handling new GET /tools/create-archive and sibling routes.


2023-11-13 - v 0.6.1
====================

* Updated default "Permissions" configuration to take the "/merge" routes 
  into account.
* Now overriding /tools/find and /tools/labels only if the auth-service
  is providing user profiles ("WebServiceUserProfileUrl" has been configured).


2023-09-18 - v 0.6.0
====================

* Now handling permissions based on labels from a user profile:
  - filter the results from tools/find to grant access only to the 
    authorized_labels from the user profile
  - grants access to resources (studies) based on their labels and
    the authorized_labels from the user profile.
  - check the https://github.com/orthanc-team/orthanc-auth-service
    sample project for more details
* Added integration tests in the https://orthanc.uclouvain.be/hg/orthanc-tests/
  repository.


2023-06-21 - v 0.5.3
====================

* New standard configuration "ohif"
* new default permissions for labels
* Fix parsing of dicom-web/studies/../series/../instances/../bulk/.. routes


2023-05-15 - v 0.5.2
====================

* Fix standard configuration "orthanc-explorer-2": consider the "token"
  Get arguments


2023-04-15 - v 0.5.1
====================

* Added a default permission for /toolk/bulk-delete
* Added a default permission for /changes
* Added a default permission for /auth/tokens/ohif-viewer-publication
* QIDO-RS now supports named tags in get arguments


2023-03-17 - v 0.5.0
====================

* BREAKING-CHANGE: the API between the authorization plugin and the 
  WebService has slightly changed.  Check the samples in the README (TODO).
  - "identifier" has been renamed into "server-id"
* new user-permission based authorization model.  This is enabled if you
  define the new "WebServiceUserProfileUrl" configuration.
* new "orthanc-explorer-2" StandardConfigurations
* new GET "auth/user/profile" Rest API route to retrieve user permissions
* new PUT "auth/tokens/{token-type}" Rest API route to create tokens
* new POST "auth/tokens/decode" Rest API route to decode tokens
* these 3 new routes required an updated auth-web-service.
* SECURITY FIX: in prior versions, it was possible to browse remote
  dicom-web servers without being authenticated.  (The API routes
  /dicom-web/servers/.../studies were unprotected).  The local
  dicom-web server was correctly protected.


2022-11-16 - v 0.4.1
====================

* fix: get argument values were transformed to lower case
* the "osimis-web-viewer" StandardConfigurations now take into account
  the token get argument used when downloading a study from the UI

2022-11-10 - v 0.4.0
====================

* new configuration option "CheckedLevel" that is clearer than "UncheckedLevels".
  "UncheckedLevels" remains for backward compatibility.
  Allowed values: "patients", "studies", "series", "instances"
* new configuration option "StandardConfigurations" to replace multiple configurations.
  Allowed values: "osimis-web-viewer", "stone-webviewer"
* added support for QIDO-RS query arguments (e.g: /dicom-web/studies?0020000D=1.2.3&...)
* possible BREAKING_CHANGE: if "TokenHttpHeaders" is set to "Authorization" and if
  "WebServiceUsername" is defined, the "Authorization" header of the HTTP request
  sent to the auth-service will contain the basic auth info from WebServiceUsername and 
  WebServicePassword.  You should get the "Authorization" value from the token-value field
  of the payload sent to the auth-service.

2022-09-26 - v 0.3.0
====================

* Added 3 new configurations: WebServiceUsername, WebServicePassword, WebServiceIdentifier.
* The WebServiceIdentifier is now included in the payload sent to the WebService as the 
  "identifier" field.


2022-05-13 - v 0.2.5
====================

* Fix osimis-viewer route


2020-12-10 - v 0.2.4
====================

* Added support for Osimis Web Viewer new route (osimis-viewer/custom-command/)
* Support of dynamic linking against the system-wide Orthanc framework library


2018-08-13 - v 0.2.3
====================

* Compatibility with Linux Standard Base
* Now using the Orthanc framework


2018-07-19 - v 0.2.2
====================

* Added automated build


2018-03-09 - v 0.2.1
====================

* Upgraded sdk to 1.3.1


2018-03-08 - v 0.2.0
====================

* Added support for Osimis Web Viewer


2017-03-22
==========

* Initial release