# HG changeset patch # User Alain Mazy # Date 1719246496 -7200 # Node ID 55760c465c3a80e3f3251cea8b26586696c7c0f5 # Parent 2f1e872e8eaab2bb111762962a2f52bd921a6632 Fix wrong access to POST /instances that was considered as a resource list diff -r 2f1e872e8eaa -r 55760c465c3a NEWS --- a/NEWS Fri Jun 14 16:31:58 2024 +0200 +++ b/NEWS Mon Jun 24 18:28:16 2024 +0200 @@ -6,6 +6,7 @@ - new API routes: - /auth/settings/roles (GET/PUT) - /auth/settings/permissions (GET) +* Fix wrong access to POST /instances that was considered as a resource list. 2024-05-16 - v 0.7.2 diff -r 2f1e872e8eaa -r 55760c465c3a Plugin/Plugin.cpp --- a/Plugin/Plugin.cpp Fri Jun 14 16:31:58 2024 +0200 +++ b/Plugin/Plugin.cpp Mon Jun 24 18:28:16 2024 +0200 @@ -149,6 +149,7 @@ static bool CheckAuthorizedLabelsForResource(bool& granted, const std::string& uri, + OrthancPluginHttpMethod method, const OrthancPlugins::AssociativeArray& getArguments, const OrthancPlugins::IAuthorizationService::UserProfile& profile) { @@ -171,7 +172,7 @@ return false; // Unable to parse this URI, we could not check labels } - if (authorizationParser_->IsListOfResources(uri)) + if (authorizationParser_->IsListOfResources(uri) && method == OrthancPluginHttpMethod_Get) { granted = false; // if a user does not have access to all labels, he can not have access to a list of resources return true; // we could check labels @@ -360,7 +361,7 @@ msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'"; bool hasAuthorizedLabelsForResource = false; - if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile)) + if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, method, getArguments, profile)) { if (hasAuthorizedLabelsForResource) {