Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DicomArchive] Add project permissions to Subpage #6658

Open
christinerogers opened this issue Jun 2, 2020 · 2 comments · May be fixed by #9359
Open

[DicomArchive] Add project permissions to Subpage #6658

christinerogers opened this issue Jun 2, 2020 · 2 comments · May be fixed by #9359
Assignees
@regisoc
Labels
Category: Bug PR or issue that aims to report or fix a bug Category: Security PR or issue that aims to improve security

Comments

@christinerogers
Copy link
Contributor

No Project-based data access controls were added to the Subpage in this module during Data Frameworkization
As a result, a user can enter an url to download and see details on scans they should not have access to.

The ViewDetails:hasAccess() needs to be updated similar to these PRs :

Describe the bug
A clear and concise description of what the bug is

To Reproduce

  1. Go to Dicom Archive module, using a User credential that has access to project A.
  2. Click on any scan in project A to enter its View Details page
  3. Copy the URL
  4. Using another session with a user who does not have access to project A - does this URL load? Can the scans be downloaded?

for the 23 release. Modules that only have partially enforce project permissions should be updated to resolve this, if possible.
@christinerogers christinerogers added Category: Bug PR or issue that aims to report or fix a bug Category: Security PR or issue that aims to improve security labels Jun 2, 2020
@laemtl laemtl self-assigned this Jul 6, 2020
@laemtl laemtl removed their assignment Aug 19, 2020
@regisoc regisoc mentioned this issue Apr 10, 2023
Closed
14 tasks
@christinerogers
Copy link
Contributor Author

@regisoc could you confirm if #8503 addressed this issue? I didn't see it in the PR description.
If it wasn't covered, let's leave this ticket open.

@regisoc regisoc linked a pull request Sep 24, 2024 that will close this issue
Open
@regisoc
Copy link
Contributor

regisoc commented Sep 24, 2024

@christinerogers not covered, it was just added in the list of related issues in #8503. It should stay opened. New PR attached, I put you as reviewer.

@regisoc regisoc mentioned this issue Oct 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@regisoc regisoc

Labels
Category: Bug PR or issue that aims to report or fix a bug Category: Security PR or issue that aims to improve security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[dicom archive] add project permission check based on tarchiveID regisoc/Loris
3 participants
@christinerogers @regisoc @laemtl