[electrophysiology_browser] Session page: Add Project Permissions che…

…ck (aces#6640) When a user tries to access the individual session page for a project they are not affiliated with (by altering the URL), a "permission denied" message should appear. Resolves aces#6558 Related to issue aces#6557 and associated PR aces#6639
AlexandraLivadas · Jun 15, 2021 · 6f16de6 · 6f16de6
1 parent a43f6bd
commit 6f16de6
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 26 deletions.
diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc
@@ -1,5 +1,4 @@
 <?php declare(strict_types=1);
-
 /**
  * This class features the code for the menu portion of the LORIS
  * electrophysiology browser module.
@@ -37,6 +36,7 @@ class Sessions extends \NDB_Page
     public $skipTemplate = true; // stops from looking for a smarty template
     protected $timepoint;
     protected $sessionID;
+    protected $candidate;
 
     /**
      * Determine whether the user has permission to view this page
@@ -47,51 +47,60 @@ class Sessions extends \NDB_Page
      */
     function _hasAccess(\User $user) : bool
     {
-        return ($user->hasPermission('electrophysiology_browser_view_allsites')
+        return (($user->hasPermission('electrophysiology_browser_view_allsites')
                 || ($user->hasCenter($this->timepoint->getCenterID())
-                && $user->hasPermission('electrophysiology_browser_view_site')
-            )
-        );
+                && $user->hasPermission('electrophysiology_browser_view_site'))
+            ) && $user->hasProject($this->timepoint->getProject()->getId()));
     }
 
     /**
-     * Handles a login request
+     * Load the required variables in order to check that the  user
+     * has access to the session.
      *
-     * @param ServerRequestInterface $request The incoming PSR7 request
+     * @param \User                  $user    The user to load the resources for
+     * @param ServerRequestInterface $request The PSR15 Request being handled
      *
-     * @return ResponseInterface The outgoing PSR7 response
+     * @throws \NotFound If the session id is non-numerical
+     * @throws \LorisException  If the session is not found
+     *
+     * @return void
      */
-    public function handle(ServerRequestInterface $request) : ResponseInterface
-    {
-        $path       = $request->getUri()->getPath();
-        $parameters = $request->getQueryParams();
-        $user       = $request->getAttribute('user');
+    public function loadResources(
+        \User $user, ServerRequestInterface $request
+    ) : void {
 
+        $path    = $request->getUri()->getPath();
         $matches = [];
 
-        // check that the session ID is of type integer
         if (preg_match('#/sessions/(\d+)#', $path, $matches) !== 1) {
-            return (new \LORIS\Middleware\PageDecorationMiddleware($user))
-                ->process(
-                    $request,
-                    new \LORIS\Http\StringStream("Invalid session")
-                )->withStatus(404);
+            throw new \NotFound("Invalid session");
         }
-
         $session_id = intval($matches[1]);
+
         try {
             $this->timepoint = \NDB_Factory::singleton()->timepoint(
                 $session_id
             );
             $this->sessionID = $session_id;
         } catch(\LorisException $e) {
-            return (new \LORIS\Middleware\PageDecorationMiddleware($user))
-                ->process(
-                    $request,
-                    new \LORIS\Http\StringStream("Session not found")
-                )->withStatus(404);
+            throw new \NotFound("Session not found");
         }
 
+        parent::loadResources($user, $request);
+    }
+
+    /**
+     * Handles a login request
+     *
+     * @param ServerRequestInterface $request The incoming PSR7 request
+     *
+     * @return ResponseInterface The outgoing PSR7 response
+     */
+    public function handle(ServerRequestInterface $request) : ResponseInterface
+    {
+        $parameters = $request->getQueryParams();
+        $user       = $request->getAttribute('user');
+
         if (!$this->_hasAccess($user)) {
             return (new \LORIS\Middleware\PageDecorationMiddleware($user))
                 ->process(

diff --git a/php/libraries/Module.class.inc b/php/libraries/Module.class.inc
@@ -347,7 +347,7 @@ abstract class Module extends \LORIS\Router\PrefixRouter
             } else {
                 $_REQUEST['subtest'] = $pagename;
             }
-
+            $page->loadResources($user, $request);
             if ($page->_hasAccess($user) !== true) {
                 return (new \LORIS\Middleware\PageDecorationMiddleware(
                     $user

diff --git a/php/libraries/NDB_Page.class.inc b/php/libraries/NDB_Page.class.inc
@@ -713,6 +713,20 @@ class NDB_Page implements RequestHandlerInterface
             ->withBody(new \LORIS\Http\StringStream($this->display() ?? ""));
     }
 
+    /**
+     * This function can be overridden in a module's page to load the necessary
+     * resources to check the permissions of a user.
+     *
+     * @param User                   $user    The user to load the resources for
+     * @param ServerRequestInterface $request The PSR15 Request being handled
+     *
+     * @return void
+     */
+    public function loadResources(
+        \User $user, ServerRequestInterface $request
+    ) : void {
+    }
+
     /**
      * Displays the form
      *