From e0fc3421883581f11749443afa0d1eb7a6b3d651 Mon Sep 17 00:00:00 2001 From: lorisadmin Date: Tue, 2 Apr 2024 04:51:49 +0000 Subject: [PATCH 1/7] [examiner] Adds permission check when adding examiner to site. --- modules/examiner/php/addexaminer.class.inc | 15 +++++++++++++++ modules/examiner/php/examiner.class.inc | 17 +++++++++++++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/modules/examiner/php/addexaminer.class.inc b/modules/examiner/php/addexaminer.class.inc index 7b23c2a504b..55edb751dde 100644 --- a/modules/examiner/php/addexaminer.class.inc +++ b/modules/examiner/php/addexaminer.class.inc @@ -64,6 +64,21 @@ class AddExaminer extends \NDB_Page $fullName = $values['addName'] ?? ''; $siteID = $values['addSite'] ?? ''; + // check for site permissions + $user = \User::singleton(); + if (!$user->hasAnyPermission( + [ + 'superuser', + 'examiner_multisite', + ] + ) + && !in_array($siteID, $user->getCenterIDs()) + ) { + return new \LORIS\Http\Response\JSON\Conflict( + 'Permission denied: You cannot assign examiner to this Site.' + ); + }; + if ($this->examinerExists($fullName, $siteID)) { return new \LORIS\Http\Response\JSON\Conflict( 'This examiner already exists.' diff --git a/modules/examiner/php/examiner.class.inc b/modules/examiner/php/examiner.class.inc index 4c20d978d4c..c27fb31234d 100644 --- a/modules/examiner/php/examiner.class.inc +++ b/modules/examiner/php/examiner.class.inc @@ -75,10 +75,23 @@ class Examiner extends \DataFrameworkMenu $useCertification = ($this->useCertification == 1) ? true : false; + $user = \User::singleton(); + if ($user->hasAnyPermission( + [ + 'superuser', + 'examiner_multisite', + ] + ) + ) { + $sites = \Utility::getSiteList(false); + } else { + $sites = $user->getCenterIDs(); + } + $sites = $user->getStudySites(); return [ - 'sites' => \Utility::getSiteList(false), + 'sites' => $sites, 'radiologists' => $yesNoOptions, - 'useCertification' => $useCertification, + 'useCertification' => $useCertification, ]; } From 654044b5a68a8b0ae6be8976d1851d3e989af97f Mon Sep 17 00:00:00 2001 From: lorisadmin Date: Tue, 2 Apr 2024 05:23:45 +0000 Subject: [PATCH 2/7] errata --- modules/examiner/php/examiner.class.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/examiner/php/examiner.class.inc b/modules/examiner/php/examiner.class.inc index c27fb31234d..e8d78485afe 100644 --- a/modules/examiner/php/examiner.class.inc +++ b/modules/examiner/php/examiner.class.inc @@ -75,7 +75,8 @@ class Examiner extends \DataFrameworkMenu $useCertification = ($this->useCertification == 1) ? true : false; - $user = \User::singleton(); + $user = \User::singleton(); + $sites = []; if ($user->hasAnyPermission( [ 'superuser', From 9e3cb89d07a04c4e386b271aa2bdb1acd0e89cbb Mon Sep 17 00:00:00 2001 From: lorisadmin Date: Tue, 2 Apr 2024 05:41:10 +0000 Subject: [PATCH 3/7] errata2 --- modules/examiner/php/examiner.class.inc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/examiner/php/examiner.class.inc b/modules/examiner/php/examiner.class.inc index e8d78485afe..d9b74f2eb79 100644 --- a/modules/examiner/php/examiner.class.inc +++ b/modules/examiner/php/examiner.class.inc @@ -86,9 +86,8 @@ class Examiner extends \DataFrameworkMenu ) { $sites = \Utility::getSiteList(false); } else { - $sites = $user->getCenterIDs(); + $sites = $user->getStudySites(); } - $sites = $user->getStudySites(); return [ 'sites' => $sites, 'radiologists' => $yesNoOptions, From b50365a130c7de8116ef164c53b638973b0531dd Mon Sep 17 00:00:00 2001 From: lorisadmin Date: Tue, 2 Apr 2024 05:41:10 +0000 Subject: [PATCH 4/7] errata2 --- modules/examiner/php/examiner.class.inc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/examiner/php/examiner.class.inc b/modules/examiner/php/examiner.class.inc index e8d78485afe..c14b86faaae 100644 --- a/modules/examiner/php/examiner.class.inc +++ b/modules/examiner/php/examiner.class.inc @@ -76,7 +76,6 @@ class Examiner extends \DataFrameworkMenu $useCertification = ($this->useCertification == 1) ? true : false; $user = \User::singleton(); - $sites = []; if ($user->hasAnyPermission( [ 'superuser', @@ -86,9 +85,8 @@ class Examiner extends \DataFrameworkMenu ) { $sites = \Utility::getSiteList(false); } else { - $sites = $user->getCenterIDs(); + $sites = $user->getStudySites(); } - $sites = $user->getStudySites(); return [ 'sites' => $sites, 'radiologists' => $yesNoOptions, From c13c615c474c4e29b4074f1ab6d4855eb9fd2830 Mon Sep 17 00:00:00 2001 From: lorisadmin Date: Wed, 24 Apr 2024 14:44:44 +0000 Subject: [PATCH 5/7] fixes: returning Forbidden in place of Conflict, superuser not need to be checked in hasAnyPermission() --- modules/examiner/php/addexaminer.class.inc | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/modules/examiner/php/addexaminer.class.inc b/modules/examiner/php/addexaminer.class.inc index 55edb751dde..23cd7e2a545 100644 --- a/modules/examiner/php/addexaminer.class.inc +++ b/modules/examiner/php/addexaminer.class.inc @@ -66,15 +66,10 @@ class AddExaminer extends \NDB_Page // check for site permissions $user = \User::singleton(); - if (!$user->hasAnyPermission( - [ - 'superuser', - 'examiner_multisite', - ] - ) + if (!$user->hasAnyPermission('examiner_multisite') && !in_array($siteID, $user->getCenterIDs()) ) { - return new \LORIS\Http\Response\JSON\Conflict( + return new \LORIS\Http\Response\JSON\Forbidden( 'Permission denied: You cannot assign examiner to this Site.' ); }; From 62ee86c0e6102799f0096776ef66ac74eb174ee3 Mon Sep 17 00:00:00 2001 From: lorisadmin Date: Wed, 24 Apr 2024 15:08:36 +0000 Subject: [PATCH 6/7] errata --- modules/examiner/php/addexaminer.class.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/examiner/php/addexaminer.class.inc b/modules/examiner/php/addexaminer.class.inc index 23cd7e2a545..0322ed9c305 100644 --- a/modules/examiner/php/addexaminer.class.inc +++ b/modules/examiner/php/addexaminer.class.inc @@ -66,7 +66,7 @@ class AddExaminer extends \NDB_Page // check for site permissions $user = \User::singleton(); - if (!$user->hasAnyPermission('examiner_multisite') + if (!$user->hasPermission('examiner_multisite') && !in_array($siteID, $user->getCenterIDs()) ) { return new \LORIS\Http\Response\JSON\Forbidden( From 797251d6b66706b2b8c8c796d850d1b67091a9df Mon Sep 17 00:00:00 2001 From: lorisadmin Date: Wed, 24 Apr 2024 15:20:14 +0000 Subject: [PATCH 7/7] errata2 --- modules/examiner/php/examiner.class.inc | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/modules/examiner/php/examiner.class.inc b/modules/examiner/php/examiner.class.inc index 784e5bb43b5..d057b812338 100644 --- a/modules/examiner/php/examiner.class.inc +++ b/modules/examiner/php/examiner.class.inc @@ -76,13 +76,7 @@ class Examiner extends \DataFrameworkMenu $useCertification = ($this->useCertification == 1) ? true : false; $user = \User::singleton(); - if ($user->hasAnyPermission( - [ - 'superuser', - 'examiner_multisite', - ] - ) - ) { + if ($user->hasPermission('examiner_multisite')) { $sites = \Utility::getSiteList(false); } else { $sites = $user->getStudySites();