# HG changeset patch # User Alain Mazy # Date 1714387852 -7200 # Node ID 3c99bb6fd30949b4eeff6fd15093eda5c8abb3ae # Parent 99bdc05012c04f9cccc1271f730053f2a2f8faaa# Parent a1fbf3f982f8726abeb68122f16262693a389665 merge diff -r a1fbf3f982f8 -r 3c99bb6fd309 NEWS --- a/NEWS Fri Apr 26 17:27:13 2024 +0200 +++ b/NEWS Mon Apr 29 12:50:52 2024 +0200 @@ -1,6 +1,8 @@ Pending changes in the mainline =============================== +* Fix wrong forbidden access to /dicom-web/studies/../series for users who + had "authorized_labels"=="*" 2024-03-25 - v 0.7.1 ==================== diff -r a1fbf3f982f8 -r 3c99bb6fd309 Plugin/Plugin.cpp --- a/Plugin/Plugin.cpp Fri Apr 26 17:27:13 2024 +0200 +++ b/Plugin/Plugin.cpp Mon Apr 29 12:50:52 2024 +0200 @@ -707,12 +707,13 @@ { std::string studyInstanceUID; - if (!HasAccessToAllLabels(profile) && !GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + if (!HasAccessToAllLabels(profile)) // no need to adjust anything if the user has access to all labels { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); - } - else - { + if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + { + throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); + } + // since this is a series/instance find, make sure the user has access to the parent study Json::Value studyOrthancIds; if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false))