Mercurial > hg > orthanc-authorization
changeset 166:3c99bb6fd309
merge
| author | Alain Mazy <am@orthanc.team> |
|---|---|
| date | Mon, 29 Apr 2024 12:50:52 +0200 |
| parents | 99bdc05012c0 (diff) a1fbf3f982f8 (current diff) |
| children | e406ef204e3a |
| files | Plugin/Plugin.cpp |
| diffstat | 2 files changed, 8 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/NEWS Fri Apr 26 17:27:13 2024 +0200 +++ b/NEWS Mon Apr 29 12:50:52 2024 +0200 @@ -1,6 +1,8 @@ Pending changes in the mainline =============================== +* Fix wrong forbidden access to /dicom-web/studies/../series for users who + had "authorized_labels"=="*" 2024-03-25 - v 0.7.1 ====================
--- a/Plugin/Plugin.cpp Fri Apr 26 17:27:13 2024 +0200 +++ b/Plugin/Plugin.cpp Mon Apr 29 12:50:52 2024 +0200 @@ -707,12 +707,13 @@ { std::string studyInstanceUID; - if (!HasAccessToAllLabels(profile) && !GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + if (!HasAccessToAllLabels(profile)) // no need to adjust anything if the user has access to all labels { - throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); - } - else - { + if (!GetStudyInstanceUIDFromQuery(studyInstanceUID, query)) + { + throw Orthanc::OrthancException(Orthanc::ErrorCode_ForbiddenAccess, "Auth plugin: unable to call tools/find at Series or Instance level when the user does not have access to ALL labels or when there is no StudyInstanceUID in the query."); + } + // since this is a series/instance find, make sure the user has access to the parent study Json::Value studyOrthancIds; if (!OrthancPlugins::RestApiPost(studyOrthancIds, "/tools/lookup", studyInstanceUID, false))