From 5ab9fc7edabdbf8e0f121b5a2f5346a8d880c1d7 Mon Sep 17 00:00:00 2001 From: Saagar Arya Date: Fri, 2 Jun 2023 14:30:33 -0400 Subject: [PATCH 01/10] [Timepoint List] Hide visits that are from user unaffiliated projects --- modules/timepoint_list/php/timepoint_list.class.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/timepoint_list/php/timepoint_list.class.inc b/modules/timepoint_list/php/timepoint_list.class.inc index 9ec68246c77..7843848de6a 100644 --- a/modules/timepoint_list/php/timepoint_list.class.inc +++ b/modules/timepoint_list/php/timepoint_list.class.inc @@ -104,7 +104,9 @@ class Timepoint_List extends \NDB_Menu $listOfTimePoints = array_filter( $listOfTimePoints, function ($timePoint) use ($user) { - return $timePoint->isAccessibleBy($user); + return + $timePoint->isAccessibleBy($user) + && $user->hasProject($timePoint->getProjectID()); } ); } From 07a256298571ab3b0bffa984e941634397d0b270 Mon Sep 17 00:00:00 2001 From: Saagar Arya Date: Mon, 12 Jun 2023 09:58:53 -0400 Subject: [PATCH 02/10] change new access profile --- modules/timepoint_list/php/timepoint_list.class.inc | 3 +-- php/libraries/Candidate.class.inc | 5 ++++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/timepoint_list/php/timepoint_list.class.inc b/modules/timepoint_list/php/timepoint_list.class.inc index 7843848de6a..4ce97a5210b 100644 --- a/modules/timepoint_list/php/timepoint_list.class.inc +++ b/modules/timepoint_list/php/timepoint_list.class.inc @@ -105,8 +105,7 @@ class Timepoint_List extends \NDB_Menu $listOfTimePoints, function ($timePoint) use ($user) { return - $timePoint->isAccessibleBy($user) - && $user->hasProject($timePoint->getProjectID()); + $timePoint->isAccessibleBy($user); } ); } diff --git a/php/libraries/Candidate.class.inc b/php/libraries/Candidate.class.inc index 4e4eff48f71..c452a20d5d6 100644 --- a/php/libraries/Candidate.class.inc +++ b/php/libraries/Candidate.class.inc @@ -664,15 +664,18 @@ class Candidate implements \LORIS\StudyEntities\AccessibleResource, $visitLabelArray = []; $candID = $this->getCandID(); + $user = \User::singleton($_SESSION['State']->getUsername()); // make a local reference to the Database object // $db = $factory->database(); - $query = "SELECT ID, Visit_label FROM session + $query = "SELECT ID, Visit_label, ProjectID FROM session WHERE CandID=:Candidate AND Active='Y' ORDER BY ID"; $result = $db->pselect($query, ['Candidate' => $candID]); + + // map the array [VisitNo]=>Visit_label foreach ($result as $row) { $visitLabelArray[$row["ID"]] = $row["Visit_label"]; From 7e5537dcdb1f9be6163493d800cd3be90a516071 Mon Sep 17 00:00:00 2001 From: Saagar Arya Date: Mon, 12 Jun 2023 10:44:44 -0400 Subject: [PATCH 03/10] undo timepoint_list change --- modules/timepoint_list/php/timepoint_list.class.inc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/timepoint_list/php/timepoint_list.class.inc b/modules/timepoint_list/php/timepoint_list.class.inc index 4ce97a5210b..9ec68246c77 100644 --- a/modules/timepoint_list/php/timepoint_list.class.inc +++ b/modules/timepoint_list/php/timepoint_list.class.inc @@ -104,8 +104,7 @@ class Timepoint_List extends \NDB_Menu $listOfTimePoints = array_filter( $listOfTimePoints, function ($timePoint) use ($user) { - return - $timePoint->isAccessibleBy($user); + return $timePoint->isAccessibleBy($user); } ); } From 5f22898448b3db2ff1e1cc2e25ba1e0f3230ef6e Mon Sep 17 00:00:00 2001 From: Saagar Arya Date: Tue, 13 Jun 2023 15:31:50 -0400 Subject: [PATCH 04/10] Fix timepoint_list --- .../timepoint_list/php/timepoint_list.class.inc | 15 +++++++-------- php/libraries/Candidate.class.inc | 5 +---- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/modules/timepoint_list/php/timepoint_list.class.inc b/modules/timepoint_list/php/timepoint_list.class.inc index 9ec68246c77..5ca75e99aab 100644 --- a/modules/timepoint_list/php/timepoint_list.class.inc +++ b/modules/timepoint_list/php/timepoint_list.class.inc @@ -100,14 +100,13 @@ class Timepoint_List extends \NDB_Menu $listOfSessionIDs, ); - if ($user->hasPermission('access_all_profiles') === false) { - $listOfTimePoints = array_filter( - $listOfTimePoints, - function ($timePoint) use ($user) { - return $timePoint->isAccessibleBy($user); - } - ); - } + + $listOfTimePoints = array_filter( + $listOfTimePoints, + function ($timePoint) use ($user) { + return $timePoint->isAccessibleBy($user); + } + ); /* * List of visits diff --git a/php/libraries/Candidate.class.inc b/php/libraries/Candidate.class.inc index c452a20d5d6..4e4eff48f71 100644 --- a/php/libraries/Candidate.class.inc +++ b/php/libraries/Candidate.class.inc @@ -664,18 +664,15 @@ class Candidate implements \LORIS\StudyEntities\AccessibleResource, $visitLabelArray = []; $candID = $this->getCandID(); - $user = \User::singleton($_SESSION['State']->getUsername()); // make a local reference to the Database object // $db = $factory->database(); - $query = "SELECT ID, Visit_label, ProjectID FROM session + $query = "SELECT ID, Visit_label FROM session WHERE CandID=:Candidate AND Active='Y' ORDER BY ID"; $result = $db->pselect($query, ['Candidate' => $candID]); - - // map the array [VisitNo]=>Visit_label foreach ($result as $row) { $visitLabelArray[$row["ID"]] = $row["Visit_label"]; From 692b8ba4e8700b6a2b99537616fcfd743dd47fa2 Mon Sep 17 00:00:00 2001 From: Saagar Arya <51128536+skarya22@users.noreply.github.com> Date: Tue, 13 Jun 2023 16:25:27 -0400 Subject: [PATCH 05/10] remove spacing for es lint --- modules/timepoint_list/php/timepoint_list.class.inc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/timepoint_list/php/timepoint_list.class.inc b/modules/timepoint_list/php/timepoint_list.class.inc index 5ca75e99aab..927ba99d339 100644 --- a/modules/timepoint_list/php/timepoint_list.class.inc +++ b/modules/timepoint_list/php/timepoint_list.class.inc @@ -99,7 +99,6 @@ class Timepoint_List extends \NDB_Menu }, $listOfSessionIDs, ); - $listOfTimePoints = array_filter( $listOfTimePoints, From 823348d329fac28c77c819602bab9ed4f9acdfe6 Mon Sep 17 00:00:00 2001 From: Saagar Arya <51128536+skarya22@users.noreply.github.com> Date: Wed, 14 Jun 2023 09:49:07 -0400 Subject: [PATCH 06/10] Remove a space for ES Lint --- modules/timepoint_list/php/timepoint_list.class.inc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/timepoint_list/php/timepoint_list.class.inc b/modules/timepoint_list/php/timepoint_list.class.inc index 927ba99d339..107ffcf5806 100644 --- a/modules/timepoint_list/php/timepoint_list.class.inc +++ b/modules/timepoint_list/php/timepoint_list.class.inc @@ -99,7 +99,6 @@ class Timepoint_List extends \NDB_Menu }, $listOfSessionIDs, ); - $listOfTimePoints = array_filter( $listOfTimePoints, function ($timePoint) use ($user) { From a67b89d8ea24b9ed57b26c6f94e4f1f3bd8ccebe Mon Sep 17 00:00:00 2001 From: Saagar Arya <51128536+skarya22@users.noreply.github.com> Date: Wed, 14 Jun 2023 14:53:27 -0400 Subject: [PATCH 07/10] Add to the test plan --- modules/candidate_profile/test/TestPlan.md | 1 + modules/timepoint_list/test/TestPlan.md | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/candidate_profile/test/TestPlan.md b/modules/candidate_profile/test/TestPlan.md index 664ad07c5c6..f427911fc83 100644 --- a/modules/candidate_profile/test/TestPlan.md +++ b/modules/candidate_profile/test/TestPlan.md @@ -50,6 +50,7 @@ that widget (ie. the media module for CandID 587630 (DCC090) or CandID 300001 (M 4. Ensure that, when the module which added the extra `CandidateInfo` terms is disabled, the terms from that module no longer show up in the `Candidate Info` card. +5. Ensure that you cannot access profiles from projects that you are not affiliated with. This behaviour is still expected when you have permission `access_all_profiles`. All other widgets are part of other modules, and should be tested as part of that module's testing. diff --git a/modules/timepoint_list/test/TestPlan.md b/modules/timepoint_list/test/TestPlan.md index 7e9a020ce34..242466319e3 100644 --- a/modules/timepoint_list/test/TestPlan.md +++ b/modules/timepoint_list/test/TestPlan.md @@ -5,6 +5,7 @@ - For a candidate of a different site than your user, ensure that either - `access_all_profiles` permission is required - or that the candidate's registration site is the same as the user's site + - Ensure that you cannot access profiles from projects that you are not affiliated with. This behaviour is still expected when you have permission `access_all_profiles`. 2. **Action buttons** - For a candidate of a different site than your user, attempt to access the timepoint list via the url. The page should load with a message of 'Permission Denied'. - For a candidate of the same site as your user, there should be up to 3 additional buttons: From 59fd9159e8d281a200f0fef7d699f8c3f88c0099 Mon Sep 17 00:00:00 2001 From: Saagar Arya <51128536+skarya22@users.noreply.github.com> Date: Wed, 14 Jun 2023 15:12:53 -0400 Subject: [PATCH 08/10] Fix test plan update --- modules/candidate_profile/test/TestPlan.md | 2 +- modules/timepoint_list/test/TestPlan.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/candidate_profile/test/TestPlan.md b/modules/candidate_profile/test/TestPlan.md index f427911fc83..dbf933b31fc 100644 --- a/modules/candidate_profile/test/TestPlan.md +++ b/modules/candidate_profile/test/TestPlan.md @@ -50,7 +50,7 @@ that widget (ie. the media module for CandID 587630 (DCC090) or CandID 300001 (M 4. Ensure that, when the module which added the extra `CandidateInfo` terms is disabled, the terms from that module no longer show up in the `Candidate Info` card. -5. Ensure that you cannot access profiles from projects that you are not affiliated with. This behaviour is still expected when you have permission `access_all_profiles`. +5. Ensure that you cannot see visits from projects that you are not affiliated with. This behaviour is still expected when you have permission `access_all_profiles`. All other widgets are part of other modules, and should be tested as part of that module's testing. diff --git a/modules/timepoint_list/test/TestPlan.md b/modules/timepoint_list/test/TestPlan.md index 242466319e3..dc796eb220f 100644 --- a/modules/timepoint_list/test/TestPlan.md +++ b/modules/timepoint_list/test/TestPlan.md @@ -5,7 +5,7 @@ - For a candidate of a different site than your user, ensure that either - `access_all_profiles` permission is required - or that the candidate's registration site is the same as the user's site - - Ensure that you cannot access profiles from projects that you are not affiliated with. This behaviour is still expected when you have permission `access_all_profiles`. + - Ensure that you cannot see visits from projects that you are not affiliated with. This behaviour is still expected when you have permission `access_all_profiles`. 2. **Action buttons** - For a candidate of a different site than your user, attempt to access the timepoint list via the url. The page should load with a message of 'Permission Denied'. - For a candidate of the same site as your user, there should be up to 3 additional buttons: From d1fdb74b8f7c87f96f92bc885dbaa9306d6ecc28 Mon Sep 17 00:00:00 2001 From: Saagar Arya <51128536+skarya22@users.noreply.github.com> Date: Thu, 15 Jun 2023 10:33:47 -0400 Subject: [PATCH 09/10] Update modules/candidate_profile/test/TestPlan.md Co-authored-by: Zaliqa --- modules/candidate_profile/test/TestPlan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/candidate_profile/test/TestPlan.md b/modules/candidate_profile/test/TestPlan.md index dbf933b31fc..53bda8a7767 100644 --- a/modules/candidate_profile/test/TestPlan.md +++ b/modules/candidate_profile/test/TestPlan.md @@ -50,7 +50,7 @@ that widget (ie. the media module for CandID 587630 (DCC090) or CandID 300001 (M 4. Ensure that, when the module which added the extra `CandidateInfo` terms is disabled, the terms from that module no longer show up in the `Candidate Info` card. -5. Ensure that you cannot see visits from projects that you are not affiliated with. This behaviour is still expected when you have permission `access_all_profiles`. +5. Ensure that you can always only see visits from projects that you are affiliated with. All other widgets are part of other modules, and should be tested as part of that module's testing. From 444e05f3e4a08c3e4cc4c77eca28675c1562c471 Mon Sep 17 00:00:00 2001 From: Saagar Arya <51128536+skarya22@users.noreply.github.com> Date: Thu, 15 Jun 2023 11:07:17 -0400 Subject: [PATCH 10/10] Update other test plan too --- modules/timepoint_list/test/TestPlan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/timepoint_list/test/TestPlan.md b/modules/timepoint_list/test/TestPlan.md index dc796eb220f..f9e7990b69c 100644 --- a/modules/timepoint_list/test/TestPlan.md +++ b/modules/timepoint_list/test/TestPlan.md @@ -5,7 +5,7 @@ - For a candidate of a different site than your user, ensure that either - `access_all_profiles` permission is required - or that the candidate's registration site is the same as the user's site - - Ensure that you cannot see visits from projects that you are not affiliated with. This behaviour is still expected when you have permission `access_all_profiles`. + - Ensure that you can always only see visits from projects that you are affiliated with. 2. **Action buttons** - For a candidate of a different site than your user, attempt to access the timepoint list via the url. The page should load with a message of 'Permission Denied'. - For a candidate of the same site as your user, there should be up to 3 additional buttons: