From 18a33515e62fc380f52b1cac9f500366edb5154a Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Mon, 29 Jun 2020 17:03:10 -0400 Subject: [PATCH 1/9] Added changes --- .../php/sessions.class.inc | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index b712b39d2e4..ee68828fa92 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -79,18 +79,9 @@ class Sessions extends \NDB_Page } $session_id = intval($matches[1]); - try { - $this->timepoint = \NDB_Factory::singleton()->timepoint( - $session_id - ); - $this->sessionID = $session_id; - } catch(\LorisException $e) { - return (new \LORIS\Middleware\PageDecorationMiddleware($user)) - ->process( - $request, - new \LORIS\Http\StringStream("Session not found") - )->withStatus(404); - } + + $this->timepoint = \NDB_Factory::singleton()->timepoint($session_id); + $this->sessionID = $session_id; if (!$this->_hasAccess($user)) { return (new \LORIS\Middleware\PageDecorationMiddleware($user)) From 8a4916f86e7b3565e6eebc05be6d904c9f1212b9 Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Mon, 29 Jun 2020 13:31:58 -0400 Subject: [PATCH 2/9] Load resources added to NDB_Page --- .../php/sessions.class.inc | 43 ++++++++++++++----- php/libraries/Module.class.inc | 2 +- php/libraries/NDB_Page.class.inc | 16 +++++++ 3 files changed, 49 insertions(+), 12 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index ee68828fa92..21da1957776 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -37,6 +37,7 @@ class Sessions extends \NDB_Page public $skipTemplate = true; // stops from looking for a smarty template protected $timepoint; protected $sessionID; + protected $candidate; /** * Determine whether the user has permission to view this page @@ -47,29 +48,29 @@ class Sessions extends \NDB_Page */ function _hasAccess(\User $user) : bool { - return ($user->hasPermission('electrophysiology_browser_view_allsites') + return (($user->hasPermission('electrophysiology_browser_view_allsites') || ($user->hasCenter($this->timepoint->getCenterID()) && $user->hasPermission('electrophysiology_browser_view_site') ) - ); + ) && $user->hasProject($this->candidate->getProjectID())); } /** - * Handles a login request + * Load the required variables in order to check that the user + * has access to the session. * - * @param ServerRequestInterface $request The incoming PSR7 request + * @param \User $user The user to load the resources for + * @param ServerRequestInterface $request The PSR15 Request being handled * - * @return ResponseInterface The outgoing PSR7 response + * @return ResponseInterface */ - public function handle(ServerRequestInterface $request) : ResponseInterface - { - $path = $request->getUri()->getPath(); - $parameters = $request->getQueryParams(); - $user = $request->getAttribute('user'); + public function loadResources( + \User $user, ServerRequestInterface $request + ) : ResponseInterface { + $path = $request->getUri()->getPath(); $matches = []; - // check that the session ID is of type integer if (preg_match('#/sessions/(\d+)#', $path, $matches) !== 1) { return (new \LORIS\Middleware\PageDecorationMiddleware($user)) ->process( @@ -83,6 +84,26 @@ class Sessions extends \NDB_Page $this->timepoint = \NDB_Factory::singleton()->timepoint($session_id); $this->sessionID = $session_id; + $candID = $this->timepoint->getCandID(); + $this->candidate = \Candidate::singleton($candID); + + parent::loadResources($user, $request); + return (new \LORIS\Http\Response()) + ->withBody(new \LORIS\Http\StringStream($this->display() ?? "")); + } + + /** + * Handles a login request + * + * @param ServerRequestInterface $request The incoming PSR7 request + * + * @return ResponseInterface The outgoing PSR7 response + */ + public function handle(ServerRequestInterface $request) : ResponseInterface + { + $parameters = $request->getQueryParams(); + $user = $request->getAttribute('user'); + if (!$this->_hasAccess($user)) { return (new \LORIS\Middleware\PageDecorationMiddleware($user)) ->process( diff --git a/php/libraries/Module.class.inc b/php/libraries/Module.class.inc index 48ad1d3fe87..9b769a094e0 100644 --- a/php/libraries/Module.class.inc +++ b/php/libraries/Module.class.inc @@ -347,7 +347,7 @@ abstract class Module extends \LORIS\Router\PrefixRouter } else { $_REQUEST['subtest'] = $pagename; } - + $page->loadResources($user, $request); if ($page->_hasAccess($user) !== true) { return (new \LORIS\Middleware\PageDecorationMiddleware( $user diff --git a/php/libraries/NDB_Page.class.inc b/php/libraries/NDB_Page.class.inc index b2d6f7b8ceb..5539f5c679f 100644 --- a/php/libraries/NDB_Page.class.inc +++ b/php/libraries/NDB_Page.class.inc @@ -709,6 +709,22 @@ class NDB_Page implements RequestHandlerInterface ->withBody(new \LORIS\Http\StringStream($this->display() ?? "")); } + /** + * This function can be overridden in a module's page to load the necessary + * resources to check the permissions of a user. + * + * @param User $user The user to load the resources for + * @param ServerRequestInterface $request The PSR15 Request being handled + * + * @return ResponseInterface + */ + public function loadResources( + \User $user, ServerRequestInterface $request + ) : ResponseInterface { + return (new \LORIS\Http\Response()) + ->withBody(new \LORIS\Http\StringStream($this->display() ?? "")); + } + /** * Displays the form * From 2d6329683903c95b055a787c83b67b470bb50ac7 Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Mon, 29 Jun 2020 14:03:28 -0400 Subject: [PATCH 3/9] Fixed formatting in hasAccess --- modules/electrophysiology_browser/php/sessions.class.inc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index 21da1957776..3b885d59dbc 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -50,9 +50,8 @@ class Sessions extends \NDB_Page { return (($user->hasPermission('electrophysiology_browser_view_allsites') || ($user->hasCenter($this->timepoint->getCenterID()) - && $user->hasPermission('electrophysiology_browser_view_site') - ) - ) && $user->hasProject($this->candidate->getProjectID())); + && $user->hasPermission('electrophysiology_browser_view_site')) + ) && $user->hasProject($this->candidate->getProjectID())); } /** From 3a7aa7dde1f0497190488a8ab747e727f948b5a7 Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Mon, 29 Jun 2020 15:40:23 -0400 Subject: [PATCH 4/9] LoadResources returns void --- .../php/sessions.class.inc | 27 +++++++++---------- php/libraries/NDB_Page.class.inc | 6 ++--- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index 3b885d59dbc..fabba6b6158 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -1,5 +1,4 @@ getUri()->getPath(); $matches = []; if (preg_match('#/sessions/(\d+)#', $path, $matches) !== 1) { - return (new \LORIS\Middleware\PageDecorationMiddleware($user)) - ->process( - $request, - new \LORIS\Http\StringStream("Invalid session") - )->withStatus(404); + throw new \LorisException("Invalid session"); } - $session_id = intval($matches[1]); - - $this->timepoint = \NDB_Factory::singleton()->timepoint($session_id); - $this->sessionID = $session_id; + try { + $this->timepoint = \NDB_Factory::singleton()->timepoint( + $session_id + ); + $this->sessionID = $session_id; + } catch(\LorisException $e) { + throw new \LorisException("Session not found"); + } $candID = $this->timepoint->getCandID(); $this->candidate = \Candidate::singleton($candID); parent::loadResources($user, $request); - return (new \LORIS\Http\Response()) - ->withBody(new \LORIS\Http\StringStream($this->display() ?? "")); } /** diff --git a/php/libraries/NDB_Page.class.inc b/php/libraries/NDB_Page.class.inc index 5539f5c679f..0312fe798f5 100644 --- a/php/libraries/NDB_Page.class.inc +++ b/php/libraries/NDB_Page.class.inc @@ -716,13 +716,11 @@ class NDB_Page implements RequestHandlerInterface * @param User $user The user to load the resources for * @param ServerRequestInterface $request The PSR15 Request being handled * - * @return ResponseInterface + * @return void */ public function loadResources( \User $user, ServerRequestInterface $request - ) : ResponseInterface { - return (new \LORIS\Http\Response()) - ->withBody(new \LORIS\Http\StringStream($this->display() ?? "")); + ) : void { } /** From 195544cb9b154b33b93d2d908fcda90358aad26d Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Mon, 29 Jun 2020 16:09:44 -0400 Subject: [PATCH 5/9] CHanged exception handling --- modules/electrophysiology_browser/php/sessions.class.inc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index fabba6b6158..1fb33d2fa79 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -60,7 +60,8 @@ class Sessions extends \NDB_Page * @param \User $user The user to load the resources for * @param ServerRequestInterface $request The PSR15 Request being handled * - * @throws \LorisException If the session is non-numerical or does not exist + * @throws \DomainException If the session id is non-numerical + * @throws \LorisException If the session is not found * * @return void */ @@ -72,7 +73,7 @@ class Sessions extends \NDB_Page $matches = []; if (preg_match('#/sessions/(\d+)#', $path, $matches) !== 1) { - throw new \LorisException("Invalid session"); + throw new \DomainException("Invalid session"); } $session_id = intval($matches[1]); try { @@ -81,7 +82,7 @@ class Sessions extends \NDB_Page ); $this->sessionID = $session_id; } catch(\LorisException $e) { - throw new \LorisException("Session not found"); + throw $e; } $candID = $this->timepoint->getCandID(); From 628e247c206dd0d947f746b7446584cbaf68ac70 Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Mon, 29 Jun 2020 17:03:10 -0400 Subject: [PATCH 6/9] Removing try-catch --- .../electrophysiology_browser/php/sessions.class.inc | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index 1fb33d2fa79..9812d1a7a03 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -76,14 +76,9 @@ class Sessions extends \NDB_Page throw new \DomainException("Invalid session"); } $session_id = intval($matches[1]); - try { - $this->timepoint = \NDB_Factory::singleton()->timepoint( - $session_id - ); - $this->sessionID = $session_id; - } catch(\LorisException $e) { - throw $e; - } + + $this->timepoint = \NDB_Factory::singleton()->timepoint($session_id); + $this->sessionID = $session_id; $candID = $this->timepoint->getCandID(); $this->candidate = \Candidate::singleton($candID); From e98ffdd11c9bce19c20c43dce13408c3281b074b Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Thu, 9 Jul 2020 14:16:00 -0400 Subject: [PATCH 7/9] Changed exception to NotFound --- modules/electrophysiology_browser/php/sessions.class.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index 9812d1a7a03..34af551c15a 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -60,7 +60,7 @@ class Sessions extends \NDB_Page * @param \User $user The user to load the resources for * @param ServerRequestInterface $request The PSR15 Request being handled * - * @throws \DomainException If the session id is non-numerical + * @throws \NotFound If the session id is non-numerical * @throws \LorisException If the session is not found * * @return void @@ -73,7 +73,7 @@ class Sessions extends \NDB_Page $matches = []; if (preg_match('#/sessions/(\d+)#', $path, $matches) !== 1) { - throw new \DomainException("Invalid session"); + throw new \NotFound("Invalid session"); } $session_id = intval($matches[1]); From bae5954e0a53ade5c40390c5f7d821e3db29bd10 Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Wed, 15 Jul 2020 11:28:15 -0400 Subject: [PATCH 8/9] Changed to 404 Not Found --- .../electrophysiology_browser/php/sessions.class.inc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index 34af551c15a..783807389d7 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -77,8 +77,14 @@ class Sessions extends \NDB_Page } $session_id = intval($matches[1]); - $this->timepoint = \NDB_Factory::singleton()->timepoint($session_id); - $this->sessionID = $session_id; + try { + $this->timepoint = \NDB_Factory::singleton()->timepoint( + $session_id + ); + $this->sessionID = $session_id; + } catch(\LorisException $e) { + throw new \NotFound("Session not found"); + } $candID = $this->timepoint->getCandID(); $this->candidate = \Candidate::singleton($candID); From bf3574771afcbae88cad85bc7e1fb28e725063b4 Mon Sep 17 00:00:00 2001 From: AlexandraLivadas Date: Wed, 15 Jul 2020 13:56:54 -0400 Subject: [PATCH 9/9] Checks timepoint project ID --- modules/electrophysiology_browser/php/sessions.class.inc | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc index 783807389d7..01ef3b3adff 100644 --- a/modules/electrophysiology_browser/php/sessions.class.inc +++ b/modules/electrophysiology_browser/php/sessions.class.inc @@ -50,7 +50,7 @@ class Sessions extends \NDB_Page return (($user->hasPermission('electrophysiology_browser_view_allsites') || ($user->hasCenter($this->timepoint->getCenterID()) && $user->hasPermission('electrophysiology_browser_view_site')) - ) && $user->hasProject($this->candidate->getProjectID())); + ) && $user->hasProject($this->timepoint->getProject()->getId())); } /** @@ -86,9 +86,6 @@ class Sessions extends \NDB_Page throw new \NotFound("Session not found"); } - $candID = $this->timepoint->getCandID(); - $this->candidate = \Candidate::singleton($candID); - parent::loadResources($user, $request); }