[electrophysiology_browser] Session page: Add Project Permissions check

[AlexandraLivadas]

Brief summary of changes

When a user tries to access the individual session page for a project they are not affiliated with (by altering the URL), a "permission denied" message should appear.

Testing instructions (if applicable)

1. Create a user and give them View all-sites Electrophysiology Browser pages permission.
2. Assign the user project "Pumpernickel" and site "Ottawa"
3. Navigate to the EEG browser page as that user.
4. Copy either the "all-types" or "raw" link from one of the rows.
5. As an admin, change the user to a different project (anything other than Pumpernickel)
6. Go back to the user account and to the EEG Browser page.
7. Note that there are no sessions listed (on the test VM)
8. Paste the copied URL.
9. There should be a "Permission denied" message and no data should be displayed.

Links to related issues

• Resolves [EEG Browser] User can access individual sessions for projects they are not involed in #6558
• Related to issue [Electrophysiology_Browser] 500 error on view session when user only has view own site permission #6557 and associated PR [electrophysiology browser] Check if user is affiliated with site when opening individual scan sessions #6639

[christinerogers]

looks good to me. I will leave you and Karim to each pull and test it.

@ridz1208 or @johnsaigle and eventually dave can review

[ridz1208]

@AlexandraLivadas I think it's better to put the project access check inside the hasAccess function

[AlexandraLivadas]

@ridz1208 This wouldn't work because the timepoint variable is not properly defined when the _hasAccess method is first called. This is also what caused the issue #6557. The _hasAccess method is called first by the Module class here, and it is called before the handle method is called where the timepoint variable is properly defined. So, I couldn't include it in the method because it would give a null pointer error. Let me know if this explanation makes sense!

[ridz1208]

@AlexandraLivadas it makes sense. I think I've seen this use case before

@HenriRabalais isn't that a similar problem to the one you had with issue tracker? do you remember what Dave suggested to add to the class in order to instantiate the object before getting to the has access function ?

[ridz1208]

https://github.com/aces/Loris/pull/6471/files

this might be helpful. look at the comment of the process function.

[AlexandraLivadas]

I tried this approach and it did not work. I think it is because this class (Sessions) is of type NDB_Page, while the one you linked is of type NDB_Form. If you look at the Module class, the method process is never called for the actual page. So, when I created the process method and defined the timepoint variable in there and then moved the project permission line into the _hasAccess method, it gave me a null pointer error again.

[ridz1208]

@driusan I sugested that above. @AlexandraLivadas is saying it didnt work

[driusan]

All page types should have the process middleware called on it, there shouldn't be anything specific to forms in that regard. (Forms are special in that they have a _process, but that's different than and unrelated to the PSR15 middleware process)

[AlexandraLivadas]

@driusan I tried again following a very similar format to modules/instrument_list/php/instrument_list.class.inc and it still gives me the following error when I move the project permission to the _hasAccess method:

PHP Fatal error:  Uncaught Error: Call to a member function getProjectID() on null in /var/www/loris2020/modules/electrophysiology_browser/php/sessions.class.inc:56\nStack trace:\n#0 /var/www/loris2020/php/libraries/Module.class.inc(351): LORIS\\electrophysiology_browser\\Sessions->_hasAccess(Object(User))\n#1 /var/www/loris2020/src/Middleware/ResponseGenerator.php(50): Module->handle(Object(Laminas\\Diactoros\\ServerRequest))\n#2 /var/www/loris2020/src/Middleware/AuthMiddleware.php(63): LORIS\\Middleware\\ResponseGenerator->process(Object(Laminas\\Diactoros\\ServerRequest), Object(LORIS\\electrophysiology_browser\\Module))\n#3 /var/www/loris2020/src/Router/ModuleRouter.php(75): LORIS\\Middleware\\AuthMiddleware->process(Object(Laminas\\Diactoros\\ServerRequest), Object(LORIS\\electrophysiology_browser\\Module))\n#4 /var/www/loris2020/src/Router/BaseRouter.php(105): LORIS\\Router\\ModuleRouter->handle(Object(Laminas\\Diactoros\\ServerRequest))\n#5 /var/www/loris2020/src/Middleware/ResponseGenerator.php(50): LORIS\\Router\\BaseRouter->handle(Object(Laminas in /var/www/loris2020/modules/electrophysiology_browser/php/sessions.class.inc on line 56, referer: https://alivadas-dev.loris.ca/electrophysiology_browser

I included the if-statements from the instrument_list.class.inc both in the _hasAccess and process methods to check if the timepoint and candidate variables are null. The \NotFound error (from _hasAccess) appeared but the \LorisException error (from process) did not.

[Added] I have found multiple cases of using this process method this way, so I'm not sure why it's not working. I will continue to look into why this is.

[ridz1208]

@AlexandraLivadas any news from you investigation ?

[AlexandraLivadas]

@h-karim and I have been running into the same problem when trying to implement the process method (check out his PR #6639). After some digging, we both found that the process method is called after the _hasAccess method, so this fix would not work.

[h-karim]

From a testing POV, it's behaving as intended.

[christinerogers]

pinging @ridz1208 for re-review, since @AlexandraLivadas should have addressed your changes already

@driusan - should be ready for final review

Stale. Rida please re-review

[AlexandraLivadas]

The changes requested by @ridz1208 and @driusan were attempted but did not work. A similar change was requested for PR #6639 and @h-karim also had trouble implementing it.

incorrect method.

[ridz1208]

@AlexandraLivadas

@driusan and I have discussed this issue at length yesterday.

explanation : the reason @HenriRabalais 's fix on #6471 worked is because he added a null check for $this->issueID in the _hasAccess() function causing it to return true when it is first checked. After which the resources were being instanciated and finally the _hasAccess was called again and only then proper permission checking was done.

We want to change this behaviour because it's not efficient and slightly hacky.

What to do: We decided that a short term stable fix would be the following. In the php/libraries/Module.class.inc, the $page->_hasAccess() function is called on line 351. We are proposing to add a function call on line 350 $page->loadResources($user,$request) this function would be defined in NDB_Page class and does absolutely nothing at that level, but in each module's pages you can override this function and instanciate all the resources you need (timepoint, issue, users,...)

So in this PR what we would expect to see is the addition of the NDB_Page->loadResources($user,$request) function, addition on line 350 of the Module.class.inc class of a call to the new NDB_Page function and, in modules/electrophysiology_browser/php/sessions.class.inc addition of an override for loadResources() function (the content of this function would instanciate the necessary timepoit to allow _hasAccess() to check for permissions)

[h-karim]

LGTM, passes manual test, and also resolves #6557 .

[AlexandraLivadas]

@driusan This section returns a 500 Internal Server Error if the session/timepoint does not exist. Is this okay or should it return some other type of exception?

[driusan]

I think it should be converted to a 404 not found.

[driusan]

approved pending travis..