Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EEG Browser] User can access individual sessions for projects they are not involed in #6558

Closed
h-karim opened this issue May 20, 2020 · 10 comments · Fixed by #6640
Closed

[EEG Browser] User can access individual sessions for projects they are not involed in #6558

h-karim opened this issue May 20, 2020 · 10 comments · Fixed by #6640
Assignees
@AlexandraLivadas
Labels
Category: Bug PR or issue that aims to report or fix a bug Category: Security PR or issue that aims to improve security

Comments

@h-karim
Copy link
Contributor

h-karim commented May 20, 2020
edited
Loading

Context
Fails step A.2 of the test plan. Related to #6618

Describe the bug
A user can access individual sessions for a project that the user has not been assigned to if the user has a url from the 'raw' or 'all types' links or logically deduces the url.

To Reproduce

Steps to reproduce the behavior on the testing VM:

  1. Using an admin user, create a user foo with the following permission:

View all-sites Electrophysiology Browser pages

  1. Assign the user project "pumpernickel" and site "Ottawa"
  2. Navigate to the EEG Browser module front page using foo
  3. Notice data for pumpernickel is displayed, copy either the "all types" or "raw" link from one of the rows to your clipboard, (e.g this link: https://test-loris-dev.loris.ca/electrophysiology_browser/sessions/167 )
  4. Using an admin account, change foo's project assignment to any other project, make sure to exclude "pumpernickel"
  5. Switch back to foo
  6. Notice the module front page does not show any data (on testing vm)
  7. paste the copied url
  8. Notice foo is able to access the individual session, despite not being assigned the pumpernickel project, and is now able to click on "next" and "Previous" to access all the data for project pumpernickel.
    What did you expect to happen?
    For the user to have been denied access to the individual session when the user is not assigned the project covering the particular session

Browser Environment (please complete the following information):

  • OS: Ubuntu 18.04 LTS
  • Browser chrome 83.0.4103.61 and firefox 76.0.1

Server Environment (if known):
This was done using the testing VM for loris
@h-karim h-karim added Category: Bug PR or issue that aims to report or fix a bug 23.0.0-testing labels May 20, 2020
@h-karim h-karim changed the title [Electrophysiology_Browser] candidate rows do not load on module page despite user having permission "View all sites Electrophysiology pages" [Electrophysiology_Browser] candidate rows do not load on module page despite user having permission May 20, 2020
@h-karim h-karim changed the title [Electrophysiology_Browser] candidate rows do not load on module page despite user having permission [Electrophysiology_Browser] data does not load on module page despite user having view permission May 20, 2020
@h-karim h-karim changed the title [Electrophysiology_Browser] data does not load on module page despite user having view permission [Electrophysiology_Browser] data does not load on module page despite user having permission May 20, 2020
@christinerogers
Copy link
Contributor

christinerogers commented May 21, 2020
edited
Loading

Hi @h-karim : is it fair to summarize this paragraph

For example, if user foo is granted permission to view all-sites EEG pages, but is not assigned project "pumpernickel", data with value "pumpernickel" under the "project" column will not load for foo on the EEG Browser main page. If foo however clicks on this link (which is a link for a session done under project "pumpernickel" for the testing VM), the session page will load properly for foo.

as:
UserA does is not affiliated to project pumpernickel, but can still see pumpernickel data if they click on a visit that is affiliated to pumpernickel and visible in the main data table.

There's something about your issue where it's not clear whether you're saying the project permissions aren't working as they should.

@h-karim
Copy link
Contributor Author

h-karim commented May 21, 2020
edited
Loading

if UserA has been granted permission to view all sites, UserA still cannot see pumpernickel data on the front page if pumpernickel is not assigned to UserA, however UserA can still access raw/all types URLs for pumpernickel sessions if UserA happens to have one. I am not sure whether the desirable behaviour is for UserA to not be able to access pumpernickel sessions, or for userA to be able to view pumpernickel data on the module front page.

@h-karim h-karim changed the title [Electrophysiology_Browser] data does not load on module page despite user having permission [Electrophysiology_Browser] User can access individual sessions for projects that have not been assigned to the user May 21, 2020
@h-karim
Copy link
Contributor Author

h-karim commented May 21, 2020

@christinerogers I've edited the issue description to better clarify the underlying issue, let me know if there's anything more to tweak.

@christinerogers
Copy link
Contributor

try getting the title down to one line. start by shortening to [EEG Browser]

@h-karim h-karim changed the title [Electrophysiology_Browser] User can access individual sessions for projects that have not been assigned to the user [EEG Browser] User can access individual sessions for projects without being assigned to them May 22, 2020
@h-karim h-karim changed the title [EEG Browser] User can access individual sessions for projects without being assigned to them [EEG Browser] User can access individual sessions for projects they are not involed in May 22, 2020
@christinerogers christinerogers mentioned this issue May 26, 2020
Closed
@christinerogers christinerogers added the Category: Security PR or issue that aims to improve security label May 26, 2020
@johnsaigle
Copy link
Contributor

johnsaigle commented May 26, 2020
edited
Loading

@ridz1208 Can you comment on whether this is expected behaviour?

My assumption is that a user should only see data corresponding to the intersection of sites and projects. So if I am a user with ONLY access to Site Montreal and Project ProjectA, then I should see ONLY data associated with Project A AND Site Montreal.

However, another interpretation is that an "access all sites" permission really does mean all sites and overrides Project limitations.

Which behaviour is intended?

@h-karim
Copy link
Contributor Author

h-karim commented May 26, 2020

@johnsaigle I want to note the reason why I mentioned to grant the user "all sites" permission here is because of #6557 , making it impossible for now to test the scenario where the user is granted "view own site" permission and is affiliated with the correct site but not the individual project. However with the imaging module (#6618), the user can still access data from projects the user is not affiliated with, but is site affiliated with, if the user is given the "view own site" permission. So I don't think it's particularly related to the "view all sites" permission.

@johnsaigle
Copy link
Contributor

Thanks for clarifying, that's helpful. So Project filtering is basically broken for these two modules.

@christinerogers christinerogers mentioned this issue May 27, 2020
Closed
@AlexandraLivadas AlexandraLivadas mentioned this issue May 28, 2020
Merged
@christinerogers
Copy link
Contributor

Thanks for clarifying, that's helpful. So Project filtering is basically broken for these two modules.

Project permissions/controls wer never added for (non-reactified) subpages for all modules that should now have Project permissions added.

@johnsaigle
Copy link
Contributor

Fair enough. It's probably more accurate right now to say we have "Project filtering" rather than "Project permissions" in general.

driusan pushed a commit that referenced this issue Jul 15, 2020
@AlexandraLivadas
[electrophysiology_browser] Session page: Add Project Permissions che…
406d0ad 
…ck (#6640)

When a user tries to access the individual session page for a project they are not affiliated with (by altering the URL), a "permission denied" message should appear.

    Resolves #6558
    Related to issue #6557 and associated PR #6639
@AlexandraLivadas
Copy link
Contributor

This was resolved after the merging of PR #6640

spell00 pushed a commit to spell00/Loris that referenced this issue Aug 13, 2020
@AlexandraLivadas @spell00
[electrophysiology_browser] Session page: Add Project Permissions che…
ec8c81f 
…ck (aces#6640)

When a user tries to access the individual session page for a project they are not affiliated with (by altering the URL), a "permission denied" message should appear.

    Resolves aces#6558
    Related to issue aces#6557 and associated PR aces#6639
AlexandraLivadas added a commit to AlexandraLivadas/Loris that referenced this issue Jun 15, 2021
@AlexandraLivadas
[electrophysiology_browser] Session page: Add Project Permissions che…
6f16de6 
…ck (aces#6640)

When a user tries to access the individual session page for a project they are not affiliated with (by altering the URL), a "permission denied" message should appear.

    Resolves aces#6558
    Related to issue aces#6557 and associated PR aces#6639
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlexandraLivadas AlexandraLivadas

Labels
Category: Bug PR or issue that aims to report or fix a bug Category: Security PR or issue that aims to improve security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[electrophysiology_browser] Session page: Add Project Permissions check AlexandraLivadas/Loris
4 participants
@christinerogers @johnsaigle @AlexandraLivadas @h-karim