changeset 165:99bdc05012c0

fix wrong forbidden access to dicom-web resources for users with access to all labels
author Alain Mazy <am@orthanc.team>
date Mon, 29 Apr 2024 12:50:24 +0200
parents 4f5c7acb626f
children 3c99bb6fd309
files NEWS Plugin/Plugin.cpp
diffstat 2 files changed, 8 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Thu Apr 25 15:30:24 2024 +0200
+++ b/NEWS	Mon Apr 29 12:50:24 2024 +0200
@@ -1,6 +1,8 @@
 Pending changes in the mainline
 ===============================
 
+* Fix wrong forbidden access to /dicom-web/studies/../series for users who 
+  had "authorized_labels"=="*"
 
 2024-03-25 - v 0.7.1
 ====================
--- a/Plugin/Plugin.cpp	Thu Apr 25 15:30:24 2024 +0200
+++ b/Plugin/Plugin.cpp	Mon Apr 29 12:50:24 2024 +0200
@@ -707,12 +707,13 @@
         {
           std::string studyInstanceUID;
 
-          if (!HasAccessToAllLabels(profile) && !GetStudyInstanceUIDFromQuery(studyInstanceUID, query))
+          if (!HasAccessToAllLabels(profile)) // no need to adjust anything if the user has access to all labels
           {
-            throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query.");
-          }
-          else
-          {
+            if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query))
+            {
+              throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query.");
+            }
+
             // since this is a series/instance find, make sure the user has access to the parent study
             Json::Value studyOrthancIds;
             if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false))