# HG changeset patch # User Alain Mazy # Date 1714387824 -7200 # Node ID 99bdc05012c04f9cccc1271f730053f2a2f8faaa # Parent 4f5c7acb626ffbf79bdd9bf5402823227c2d77e4 fix wrong forbidden access to dicom-web resources for users with access to all labels diff -r 4f5c7acb626f -r 99bdc05012c0 NEWS --- a/NEWS Thu Apr 25 15:30:24 2024 +0200 +++ b/NEWS Mon Apr 29 12:50:24 2024 +0200 @@ -1,6 +1,8 @@ Pending changes in the mainline =============================== +* Fix wrong forbidden access to /dicom-web/studies/../series for users who + had "authorized_labels"=="*" 2024-03-25 - v 0.7.1 ==================== diff -r 4f5c7acb626f -r 99bdc05012c0 Plugin/Plugin.cpp --- a/Plugin/Plugin.cpp Thu Apr 25 15:30:24 2024 +0200 +++ b/Plugin/Plugin.cpp Mon Apr 29 12:50:24 2024 +0200 @@ -707,12 +707,13 @@ { std::string studyInstanceUID; - if (!HasAccessToAllLabels(profile) && !GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + if (!HasAccessToAllLabels(profile)) // no need to adjust anything if the user has access to all labels { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); - } - else - { + if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + { + throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); + } + // since this is a series/instance find, make sure the user has access to the parent study Json::Value studyOrthancIds; if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false))