# HG changeset patch
# User Alain Mazy <am@osimis.io>
# Date 1647424513 -3600
# Node ID bd7ad1cb40b6bf83cfc5da771e9ea57eb32dc161
# Parent  0b14c766ca7aaf2928f14a6458224884a21d521e
Improved DICOM authorization checks when multiple modalities are declared with the same AET

diff -r 0b14c766ca7a -r bd7ad1cb40b6 NEWS
--- a/NEWS	Mon Mar 07 18:56:15 2022 +0100
+++ b/NEWS	Wed Mar 16 10:55:13 2022 +0100
@@ -1,6 +1,13 @@
 Pending changes in the mainline
 ===============================
 
+General
+-------
+
+* Improved DICOM authorization checks when multiple modalities are declared with
+  the same AET.
+
+
 Documentation
 -------------
 
diff -r 0b14c766ca7a -r bd7ad1cb40b6 OrthancServer/Sources/main.cpp
--- a/OrthancServer/Sources/main.cpp	Mon Mar 07 18:56:15 2022 +0100
+++ b/OrthancServer/Sources/main.cpp	Wed Mar 16 10:55:13 2022 +0100
@@ -430,29 +430,53 @@
       }
       else
       {
-        // If there are multiple modalities with the same AET, consider the one matching this IP
+        // If there are multiple modalities with the same AET, consider the one matching this IP 
+        // or check if the operation is allowed for all modalities
+        bool allowedForAllModalities = true;
+
         for (std::list<RemoteModalityParameters>::const_iterator
                it = modalities.begin(); it != modalities.end(); ++it)
         {
-          if (it->GetHost() == remoteIp)
+          if (it->IsRequestAllowed(type))
           {
-            if (it->IsRequestAllowed(type))
+            if (checkIp &&
+                it->GetHost() == remoteIp)
             {
               return true;
             }
-            else
-            {
-              ReportDisallowedCommand(remoteIp, remoteAet, type);
-              return false;
-            }
+          }
+          else
+          {
+            allowedForAllModalities = false;
           }
         }
 
-        LOG(WARNING) << "DICOM authorization rejected for AET " << remoteAet
-                     << " on IP " << remoteIp << ": " << modalities.size()
-                     << " modalites found with this AET in configuration option "
-                     << "\"DicomModalities\", but none of them matches the IP";
-        return false;
+        if (allowedForAllModalities)
+        {
+          return true;
+        }
+        else
+        {
+          ReportDisallowedCommand(remoteIp, remoteAet, type);
+
+          if (checkIp)
+          {
+            LOG(WARNING) << "DICOM authorization rejected for AET " << remoteAet
+                         << " on IP " << remoteIp << ": " << modalities.size()
+                         << " modalites found with this AET in configuration option "
+                         << "\"DicomModalities\", but the operation is allowed for none "
+                         << "of them matching the IP";
+          }
+          else
+          {
+            LOG(WARNING) << "DICOM authorization rejected for AET " << remoteAet
+                         << " on IP " << remoteIp << ": " << modalities.size()
+                         << " modalites found with this AET in configuration option "
+                         << "\"DicomModalities\", but the operation is not allowed for"
+                         << "all of them";
+          }
+          return false;
+        }
       }
     }
   }