From bff9931c67d86cc71aec2e4f81f790bbb9f2f267 Mon Sep 17 00:00:00 2001
From: racostas <37309344+racostas@users.noreply.github.com>
Date: Wed, 24 Apr 2024 13:09:26 -0400
Subject: [PATCH] [examiner] Adds permission check when adding examiner to
 site. (#9188)

Permissions are check now before allowing to add examiner to site.
Before this, a user with only the permission Examiner: Add and Certify Examiners - Own Sites was able to add examiners to sites it don't belongs to. Now this feature is only granted to users with the corresponding level of permission.

Fixes #9149
---
 modules/examiner/php/addexaminer.class.inc | 10 ++++++++++
 modules/examiner/php/examiner.class.inc    | 10 ++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/modules/examiner/php/addexaminer.class.inc b/modules/examiner/php/addexaminer.class.inc
index 7b23c2a504b..0322ed9c305 100644
--- a/modules/examiner/php/addexaminer.class.inc
+++ b/modules/examiner/php/addexaminer.class.inc
@@ -64,6 +64,16 @@ class AddExaminer extends \NDB_Page
         $fullName = $values['addName'] ?? '';
         $siteID   = $values['addSite'] ?? '';
 
+        // check for site permissions
+        $user = \User::singleton();
+        if (!$user->hasPermission('examiner_multisite')
+            && !in_array($siteID, $user->getCenterIDs())
+        ) {
+            return new \LORIS\Http\Response\JSON\Forbidden(
+                'Permission denied: You cannot assign examiner to this Site.'
+            );
+        };
+
         if ($this->examinerExists($fullName, $siteID)) {
             return  new \LORIS\Http\Response\JSON\Conflict(
                 'This examiner already exists.'
diff --git a/modules/examiner/php/examiner.class.inc b/modules/examiner/php/examiner.class.inc
index 4c20d978d4c..d057b812338 100644
--- a/modules/examiner/php/examiner.class.inc
+++ b/modules/examiner/php/examiner.class.inc
@@ -75,10 +75,16 @@ class Examiner extends \DataFrameworkMenu
 
           $useCertification = ($this->useCertification == 1) ? true : false;
 
+        $user = \User::singleton();
+        if ($user->hasPermission('examiner_multisite')) {
+            $sites = \Utility::getSiteList(false);
+        } else {
+            $sites = $user->getStudySites();
+        }
         return [
-            'sites'            => \Utility::getSiteList(false),
+            'sites'            => $sites,
             'radiologists'     => $yesNoOptions,
-            'useCertification' =>  $useCertification,
+            'useCertification' => $useCertification,
         ];
 
     }