Mercurial > hg > orthanc-authorization
changeset 196:55760c465c3a
Fix wrong access to POST /instances that was considered as a resource list
| author | Alain Mazy <am@orthanc.team> |
|---|---|
| date | Mon, 24 Jun 2024 18:28:16 +0200 |
| parents | 2f1e872e8eaa |
| children | b61949537444 7099d59de4dd |
| files | NEWS Plugin/Plugin.cpp |
| diffstat | 2 files changed, 4 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/NEWS Fri Jun 14 16:31:58 2024 +0200 +++ b/NEWS Mon Jun 24 18:28:16 2024 +0200 @@ -6,6 +6,7 @@ - new API routes: - /auth/settings/roles (GET/PUT) - /auth/settings/permissions (GET) +* Fix wrong access to POST /instances that was considered as a resource list. 2024-05-16 - v 0.7.2
--- a/Plugin/Plugin.cpp Fri Jun 14 16:31:58 2024 +0200 +++ b/Plugin/Plugin.cpp Mon Jun 24 18:28:16 2024 +0200 @@ -149,6 +149,7 @@ static bool CheckAuthorizedLabelsForResource(bool& granted, const std::string& uri, + OrthancPluginHttpMethod method, const OrthancPlugins::AssociativeArray& getArguments, const OrthancPlugins::IAuthorizationService::UserProfile& profile) { @@ -171,7 +172,7 @@ return false; // Unable to parse this URI, we could not check labels } - if (authorizationParser_->IsListOfResources(uri)) + if (authorizationParser_->IsListOfResources(uri) && method == OrthancPluginHttpMethod_Get) { granted = false; // if a user does not have access to all labels, he can not have access to a list of resources return true; // we could check labels @@ -360,7 +361,7 @@ msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'"; bool hasAuthorizedLabelsForResource = false; - if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile)) + if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, method, getArguments, profile)) { if (hasAuthorizedLabelsForResource) {