Mercurial > hg > orthanc-authorization

changeset 229:83bf83000928

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
return [] on GET /dicom-web/studies with a resource token
author Alain Mazy <am@orthanc.team>
date Thu, 17 Apr 2025 18:40:05 +0200
parents add4f4c0cf7e
children dc8035ecabc6
files NEWS Plugin/Plugin.cpp
diffstat 2 files changed, 21 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Thu Apr 17 18:21:40 2025 +0200
+++ b/NEWS	Thu Apr 17 18:40:05 2025 +0200
@@ -1,6 +1,10 @@
 Pending changes
 ===============
 
+* When calling /dicom-web/studies with a resource token when no StudyInstanceUID 
+  is specified in the query args, the plugin now returns an empty list of resources
+  instead of returning a 403.  This notably prevents OHIF to display errors when requesting 
+  prior studies while still preserving the security since no resources are returned.
 * Added support for /dicom-web/studies/../thumbnail.
 
 
--- a/Plugin/Plugin.cpp	Thu Apr 17 18:21:40 2025 +0200
+++ b/Plugin/Plugin.cpp	Thu Apr 17 18:40:05 2025 +0200
@@ -426,6 +426,14 @@
       {
         return 1;
       }
+
+      // Calling one of this "search" uri with a resource-token is authorized (since we override these routes in this plugin) but
+      // the results will be empty.  We want to avoid 403 errors in OHIF when requesting prior studies.
+      // TODO: In the future, we shall be able to return the studies that are authorized by the resource-token.
+      if (strcmp(uri, "/dicom-web/studies") == 0 && method == OrthancPluginHttpMethod_Get)
+      {
+        return 1;
+      }
     }
       
     // By default, forbid access to all the resources
@@ -808,10 +816,17 @@
 
         // If anonymous user profile, it might be a resource token e.g accessing /dicom-web/studies/.../metadata 
         // -> extract the StudyInstanceUID from the query and send the token for validation to the auth-service
-        // If there is no StudyInstanceUID, then, return a 403 because we don't know what resource it relates to
+        // If there is no StudyInstanceUID, then, return an empty list
         if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query))
         {
-          throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query.");
+          // If there is no StudyInstaceUID, this might still be a call to /dicom-web/studies?PatientID=... e.g. from OHIF
+          // in this case, let's return an empty list.  TODO: in the future, we may get the StudyInstanceUIDs from the resource token and
+          // "add" &StudyInstanceUID=1.2|1.3|1.4 in the query if there are multiple studies in the resource token
+          Json::Value emptyArray = Json::arrayValue;
+          OrthancPlugins::AnswerJson(emptyArray, output);
+          return;
+
+          // old code prior to 0.9.2: throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find when the user does not have access to any labels and if there is no StudyInstanceUID in the query.");
         }
 
         std::vector<std::string> studyOrthancIds;