# HG changeset patch # User Alain Mazy # Date 1744908005 -7200 # Node ID 83bf8300092884e36b315577b9a0dd839cb5c869 # Parent add4f4c0cf7ef16a907d7b7369d0b06df4c1d475 return [] on GET /dicom-web/studies with a resource token diff -r add4f4c0cf7e -r 83bf83000928 NEWS --- a/NEWS Thu Apr 17 18:21:40 2025 +0200 +++ b/NEWS Thu Apr 17 18:40:05 2025 +0200 @@ -1,6 +1,10 @@ Pending changes =============== +* When calling /dicom-web/studies with a resource token when no StudyInstanceUID + is specified in the query args, the plugin now returns an empty list of resources + instead of returning a 403. This notably prevents OHIF to display errors when requesting + prior studies while still preserving the security since no resources are returned. * Added support for /dicom-web/studies/../thumbnail. diff -r add4f4c0cf7e -r 83bf83000928 Plugin/Plugin.cpp --- a/Plugin/Plugin.cpp Thu Apr 17 18:21:40 2025 +0200 +++ b/Plugin/Plugin.cpp Thu Apr 17 18:40:05 2025 +0200 @@ -426,6 +426,14 @@ { return 1; } + + // Calling one of this "search" uri with a resource-token is authorized (since we override these routes in this plugin) but + // the results will be empty. We want to avoid 403 errors in OHIF when requesting prior studies. + // TODO: In the future, we shall be able to return the studies that are authorized by the resource-token. + if (strcmp(uri, "/dicom-web/studies") == 0 && method == OrthancPluginHttpMethod_Get) + { + return 1; + } } // By default, forbid access to all the resources @@ -808,10 +816,17 @@ // If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata // -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service - // If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to + // If there is no StudyInstanceUID, then, return an empty list if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); + // If there is no StudyInstaceUID, this might still be a call to /dicom-web/studies?PatientID=... e.g. from OHIF + // in this case, let's return an empty list. TODO: in the future, we may get the StudyInstanceUIDs from the resource token and + // "add" &StudyInstanceUID=1.2|1.3|1.4 in the query if there are multiple studies in the resource token + Json::Value emptyArray = Json::arrayValue; + OrthancPlugins::AnswerJson(emptyArray, output); + return; + + // old code prior to 0.9.2: throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query."); } std::vector studyOrthancIds;