[electrophysiology browser] Check if user is affiliated with site when opening individual scan sessions #6639
Conversation
quick fix because timepoint is not defined in the module class, where hasAccess is called
|
Hey @h-karim hasStudySite has a specific meaning and think we may be in the process of removing it. Did you check its history/usage ? |
|
also, is the PR title accurate? maybe site instead of sessions? |
h-karim
changed the title
@christinerogers Loris/modules/brainbrowser/php/brainbrowser.class.inc Lines 34 to 47 in a5304c7 and the candidate list module: Loris/modules/candidate_list/php/validateids.class.inc Lines 40 to 46 in a5304c7 |
There was a problem hiding this comment.
i think this looks good to me.
@h-karim if you're happy with this solution -- let's keep this moving through the review process.
The next step is the find a way to take this out of draft mode,
I think this means marking this draft PR as Ready for review. If you find you can't do this, (due to no write privilege), ask Rida if he can do this for you or advise on who can.
Then, request testing and review from @laemtl (if you don't mind, Laetitia, merci)
There was a problem hiding this comment.
The permissions of this module are confusing to me, both the old and new implementation.
Old way
A user can access this session ONLY if they have the electrophysiology_browser_view_site AND at least one of the following:
- electrophysiology_browser_view_allsites
- $user->hasCenter($this->timepoint->getCenterID())
New way
A user can access this session ONLY if they have the electrophysiology_browser_view_site AND at least one of the following:
- electrophysiology_browser_view_allsites
- access to any 'study site'
- $user->hasCenter($this->timepoint->getCenterID())
I don't think either of these is correct. Why would someone need both the allsites and the site permission? allsites should override the other permission.
I think we need permissions like this:
Ideal way
A user can access this session if they have the electrophysiology_browser_view_allsites permission.
Alternatively, a user can access a session if they have electrophysiology_browser_view_site AND a center matching the centerID of this timepoint.
This would be
return $user->hasPermission('electrophysiology_browser_view_allsites')
|| ($user->hasPermission('electrophysiology_browser_view_site')
&& $user->hasCenter($this->timepoint->getCenterID());I know this doesn't solve the "undefined" issue but it's important that we understand the permissions we're trying to go for. In any case I don't think that a user being able to access any study site has anything to do with whether they are viewing some particualr EEG session.
@cmadjar I think you wrote the module, maybe you can clarify?
|
@johnsaigle - How about spinning your Proposal off into a new issue for discussion? |
|
I don't consider this a proposal, I think it's an issue with the permissions logic in this code. |
|
@johnsaigle Considering the brain browser and candidate list modules (among possible others) have a similar line of logic for permissions: Loris/modules/brainbrowser/php/brainbrowser.class.inc Lines 34 to 47 in a5304c7 Loris/modules/candidate_list/php/validateids.class.inc Lines 40 to 46 in a5304c7 Perhaps an umbrella issue/proposal should be created with the eventual goal to centralize all the permissions in one place? The way it's being handled now has the potential to create significant technical debt.
I think the logic was going on the premises that the module table is displaying only the site data which the user has access to, and that during user creation a user must be assigned a site, therefore the user would be able to access the individual sessions of the table data. The ideal way you quoted is what is currently implemented : https://github.com/aces/Loris/blob/23.0-release/modules/electrophysiology_browser/php/sessions.class.inc#L50-L54 , it's checking whether the user has the |
Yeah I took another look and I think you're right. The logical operators and the brackets are confusing to me in this module. The Sorry for the tangent |
laemtl
added
the
Passed manual tests
|
Tested and works fine. |
np. Karim's right -- yes, we are moving towards centralizing / coordinating common definitions of permissions, creating less risk of inconsistencies across modules and technical debt. |
|
@AlexandraLivadas or @johnsaigle could either of you re/review this permissions fix? thanks |
There was a problem hiding this comment.
This is the wrong fix for the issue.
fix should look more similar to #6471
As a workaround, hasStudySite is added as part of the _hasAccess method to verify the user is affiliated with the study site of the scan session, short-circuiting $user->hasCenter($this->timepoint->getCenterID().
words like short-circuiting and workaround means that it's probably not the correct fix.
|
I agree with @ridz1208 that this should probably be done a bit differently. I know Dave commented on a similar issue on Alex was working on about a possible approach using the module's |
christinerogers
added
State: Needs work
|
@ridz1208 Echoing @AlexandraLivadas 's comment overriding the public function process(
ServerRequestInterface $request,
RequestHandlerInterface $handler ) : ResponseInterface {
$this->timepoint = $request->getAttribute("timePoint");
if ($this->timepoint === null) {
// This shouldn't happen, the module level router verifies that
// the candidate exists before getting here.
throw new \LorisException("Timepoint list requires a timepoint.");
}
return parent::process($request, $handler);
}Inserting print functions to test it out, the
|
|
@driusan can you look into these issues ? |
|
None of those pieces of code are being used to try and short-circuit out of other checks. They're being used to verify that if the user only has the "site" permission for the module, the user has a study site. |
|
I'll remove function _hasAccess(\User $user) : bool
{
return ($user->hasPermission('electrophysiology_browser_view_allsites')
|| ($user->hasStudySite()
&& $user->hasPermission('electrophysiology_browser_view_site') ) );
}following the same logic as the other pieces of code. Edit: Doing this confirmed that the |
h-karim
force-pushed
the
2020-05-28-Issue6557-PatchEEGhasAccess
branch
from
4b6d04a to
89e8287
Compare
h-karim
force-pushed
the
2020-05-28-Issue6557-PatchEEGhasAccess
branch
from
89e8287 to
f18473f
Compare
ridz1208
added
the
State: Discussion required
|
For LORIS Magic Monday @h-karim : See Rida's comments for Alex in #6640 and then follow her lead... |
|
#6640 takes care of the linked issue. Closing this PR. |
Brief summary of changes
The
_hasAccessmethod is being called byModule.class.inchere. This is causing an error because because$this.timepointis not initialised before the method call in the module class, which leads to callinggetCenterIDon null:Loris/modules/electrophysiology_browser/php/sessions.class.inc
Line 51 in a5304c7
I added
hasStudySiteas part of the_hasAccessmethod to verify the user is affiliated with the study site of the scan session, and removed$user->hasCenter($this->timepoint->getCenterID(), to follow the same logic check as some of the other mdules.Testing instructions (if applicable)
Link(s) to related issue(s)