Mercurial > hg > orthanc-authorization
changeset 165:99bdc05012c0
fix wrong forbidden access to dicom-web resources for users with access to all labels
author | Alain Mazy <am@orthanc.team> |
---|---|
date | Mon, 29 Apr 2024 12:50:24 +0200 |
parents | 4f5c7acb626f |
children | 3c99bb6fd309 |
files | NEWS Plugin/Plugin.cpp |
diffstat | 2 files changed, 8 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/NEWS Thu Apr 25 15:30:24 2024 +0200 +++ b/NEWS Mon Apr 29 12:50:24 2024 +0200 @@ -1,6 +1,8 @@ Pending changes in the mainline =============================== +* Fix wrong forbidden access to /dicom-web/studies/../series for users who + had "authorized_labels"=="*" 2024-03-25 - v 0.7.1 ====================
--- a/Plugin/Plugin.cpp Thu Apr 25 15:30:24 2024 +0200 +++ b/Plugin/Plugin.cpp Mon Apr 29 12:50:24 2024 +0200 @@ -707,12 +707,13 @@ { std::string studyInstanceUID; - if (!HasAccessToAllLabels(profile) && !GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + if (!HasAccessToAllLabels(profile)) // no need to adjust anything if the user has access to all labels { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); - } - else - { + if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + { + throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); + } + // since this is a series/instance find, make sure the user has access to the parent study Json::Value studyOrthancIds; if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false))