# HG changeset patch # User Alain Mazy # Date 1727088213 -7200 # Node ID 3c56c3f0059a40b2ab5ef958f8fc78c5b0bfd05e # Parent 8c79c3b026ce4261d9ce18905a54767d8062c24b Fix forbidden access when the PatientID and StudyInstanceUID are identical diff -r 8c79c3b026ce -r 3c56c3f0059a NEWS --- a/NEWS Wed Jul 03 09:00:01 2024 +0200 +++ b/NEWS Mon Sep 23 12:43:33 2024 +0200 @@ -1,3 +1,9 @@ +Pending changes in the mainline +=============================== + +* Fix forbidden access when the PatientID and StudyInstanceUID are identical. + + 2024-07-03 - v 0.8.1 ==================== diff -r 8c79c3b026ce -r 3c56c3f0059a Plugin/Plugin.cpp --- a/Plugin/Plugin.cpp Wed Jul 03 09:00:01 2024 +0200 +++ b/Plugin/Plugin.cpp Mon Sep 23 12:43:33 2024 +0200 @@ -671,6 +671,22 @@ return true; } +void GetStudyOrthancIdFromStudyInstanceUID(std::vector& studyOrthancIds, const std::string& studyInstanceUID) +{ + studyOrthancIds.clear(); + Json::Value response; + if (OrthancPlugins::RestApiPost(response, "/tools/lookup", studyInstanceUID, false)) + { + for (Json::ArrayIndex i = 0; i < response.size(); ++i) + { + if (response[i]["Type"] == "Study") + { + studyOrthancIds.push_back(response[i]["ID"].asString()); + } + } + } +} + void ToolsFind(OrthancPluginRestOutput* output, const char* /*url*/, const OrthancPluginHttpRequest* request) @@ -719,12 +735,10 @@ } // since this is a series/instance find, make sure the user has access to the parent study - Json::Value studyOrthancIds; - if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false)) - { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query."); - } - else if (studyOrthancIds.size() != 1) + std::vector studyOrthancIds; + GetStudyOrthancIdFromStudyInstanceUID(studyOrthancIds, studyInstanceUID); + + if (studyOrthancIds.size() != 1) { throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find at Series or Instance level, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); } @@ -757,12 +771,10 @@ throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); } - Json::Value studyOrthancIds; - if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false)) - { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query."); - } - else if (studyOrthancIds.size() != 1) + std::vector studyOrthancIds; + GetStudyOrthancIdFromStudyInstanceUID(studyOrthancIds, studyInstanceUID); + + if (studyOrthancIds.size() != 1) { throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, unable to get the orthanc ID of StudyInstanceUID specified in the query. Found " + boost::lexical_cast(studyOrthancIds.size()) + " orthanc studies with this StudyInstanceUID"); } @@ -771,7 +783,7 @@ GetAuthTokens(authTokens, request->headersCount, request->headersKeys, request->headersValues, request->getCount, request->getKeys, request->getValues); std::set labels; - OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrthancIds[0]["ID"].asString(), studyInstanceUID, labels); + OrthancPlugins::AccessedResource accessedResource(Orthanc::ResourceType_Study, studyOrthancIds[0], studyInstanceUID, labels); if (!IsResourceAccessGranted(authTokens, request->method, accessedResource)) { throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: when using tools/find with a resource token, the resource must grant access to the StudyInstanceUID specified in the query.");