changeset 196:55760c465c3a

Fix wrong access to POST /instances that was considered as a resource list
author Alain Mazy <am@orthanc.team>
date Mon, 24 Jun 2024 18:28:16 +0200
parents 2f1e872e8eaa
children b61949537444 7099d59de4dd
files NEWS Plugin/Plugin.cpp
diffstat 2 files changed, 4 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Fri Jun 14 16:31:58 2024 +0200
+++ b/NEWS	Mon Jun 24 18:28:16 2024 +0200
@@ -6,6 +6,7 @@
   - new API routes:
     - /auth/settings/roles (GET/PUT)
     - /auth/settings/permissions (GET)
+* Fix wrong access to POST /instances that was considered as a resource list.
 
 
 2024-05-16 - v 0.7.2
--- a/Plugin/Plugin.cpp	Fri Jun 14 16:31:58 2024 +0200
+++ b/Plugin/Plugin.cpp	Mon Jun 24 18:28:16 2024 +0200
@@ -149,6 +149,7 @@
 
 static bool CheckAuthorizedLabelsForResource(bool& granted,
                                              const std::string& uri,
+                                             OrthancPluginHttpMethod method,
                                              const OrthancPlugins::AssociativeArray& getArguments,
                                              const OrthancPlugins::IAuthorizationService::UserProfile& profile)
 {
@@ -171,7 +172,7 @@
       return false;  // Unable to parse this URI, we could not check labels
     }
 
-    if (authorizationParser_->IsListOfResources(uri))
+    if (authorizationParser_->IsListOfResources(uri) && method == OrthancPluginHttpMethod_Get)
     {
       granted = false;  // if a user does not have access to all labels, he can not have access to a list of resources
       return true; // we could check labels
@@ -360,7 +361,7 @@
               msg = std::string("Testing whether user has the authorized_labels to access '") + uri + "' based on the HTTP header '" + authTokens[i].GetToken().GetKey() + "'";
 
               bool hasAuthorizedLabelsForResource = false;
-              if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, getArguments, profile))
+              if (CheckAuthorizedLabelsForResource(hasAuthorizedLabelsForResource, uri, method, getArguments, profile))
               {
                 if (hasAuthorizedLabelsForResource)
                 {