aces · driusan · Jul 15, 2020 · Jun 29, 2020 · Jun 29, 2020 · Jun 29, 2020
diff --git a/modules/electrophysiology_browser/php/sessions.class.inc b/modules/electrophysiology_browser/php/sessions.class.inc
@@ -1,5 +1,4 @@
 <?php declare(strict_types=1);
-
 /**
  * This class features the code for the menu portion of the LORIS
  * electrophysiology browser module.
@@ -37,6 +36,7 @@ class Sessions extends \NDB_Page
     public $skipTemplate = true; // stops from looking for a smarty template
     protected $timepoint;
     protected $sessionID;
+    protected $candidate;
 
     /**
      * Determine whether the user has permission to view this page
@@ -47,11 +47,43 @@ class Sessions extends \NDB_Page
      */
     function _hasAccess(\User $user) : bool
     {
-        return ($user->hasPermission('electrophysiology_browser_view_allsites')
+        return (($user->hasPermission('electrophysiology_browser_view_allsites')
                 || ($user->hasCenter($this->timepoint->getCenterID())
-                && $user->hasPermission('electrophysiology_browser_view_site')
-            )
-        );
+                && $user->hasPermission('electrophysiology_browser_view_site'))
+            ) && $user->hasProject($this->candidate->getProjectID()));
+    }
+
+    /**
+     * Load the required variables in order to check that the  user
+     * has access to the session.
+     *
+     * @param \User                  $user    The user to load the resources for
+     * @param ServerRequestInterface $request The PSR15 Request being handled
+     *
+     * @throws \NotFound If the session id is non-numerical
+     * @throws \LorisException  If the session is not found
+     *
+     * @return void
+     */
+    public function loadResources(
+        \User $user, ServerRequestInterface $request
+    ) : void {
+
+        $path    = $request->getUri()->getPath();
+        $matches = [];
+
+        if (preg_match('#/sessions/(\d+)#', $path, $matches) !== 1) {
+            throw new \NotFound("Invalid session");
+        }
+        $session_id = intval($matches[1]);
+
+        $this->timepoint = \NDB_Factory::singleton()->timepoint($session_id);
+        $this->sessionID = $session_id;
+
+        $candID          = $this->timepoint->getCandID();
+        $this->candidate = \Candidate::singleton($candID);
+
+        parent::loadResources($user, $request);
     }
 
     /**
@@ -63,35 +95,9 @@ class Sessions extends \NDB_Page
      */
     public function handle(ServerRequestInterface $request) : ResponseInterface
     {
-        $path       = $request->getUri()->getPath();
         $parameters = $request->getQueryParams();
         $user       = $request->getAttribute('user');
 
-        $matches = [];
-
-        // check that the session ID is of type integer
-        if (preg_match('#/sessions/(\d+)#', $path, $matches) !== 1) {
-            return (new \LORIS\Middleware\PageDecorationMiddleware($user))
-                ->process(
-                    $request,
-                    new \LORIS\Http\StringStream("Invalid session")
-                )->withStatus(404);
-        }
-
-        $session_id = intval($matches[1]);
-        try {
-            $this->timepoint = \NDB_Factory::singleton()->timepoint(
-                $session_id
-            );
-            $this->sessionID = $session_id;
-        } catch(\LorisException $e) {
-            return (new \LORIS\Middleware\PageDecorationMiddleware($user))
-                ->process(
-                    $request,
-                    new \LORIS\Http\StringStream("Session not found")
-                )->withStatus(404);
-        }
-
         if (!$this->_hasAccess($user)) {
             return (new \LORIS\Middleware\PageDecorationMiddleware($user))
                 ->process(

diff --git a/php/libraries/Module.class.inc b/php/libraries/Module.class.inc
@@ -347,7 +347,7 @@ abstract class Module extends \LORIS\Router\PrefixRouter
             } else {
                 $_REQUEST['subtest'] = $pagename;
             }
-
+            $page->loadResources($user, $request);
             if ($page->_hasAccess($user) !== true) {
                 return (new \LORIS\Middleware\PageDecorationMiddleware(
                     $user

diff --git a/php/libraries/NDB_Page.class.inc b/php/libraries/NDB_Page.class.inc
@@ -709,6 +709,20 @@ class NDB_Page implements RequestHandlerInterface
             ->withBody(new \LORIS\Http\StringStream($this->display() ?? ""));
     }
 
+    /**
+     * This function can be overridden in a module's page to load the necessary
+     * resources to check the permissions of a user.
+     *
+     * @param User                   $user    The user to load the resources for
+     * @param ServerRequestInterface $request The PSR15 Request being handled
+     *
+     * @return void
+     */
+    public function loadResources(
+        \User $user, ServerRequestInterface $request
+    ) : void {
+    }
+
     /**
      * Displays the form
      *