[dicom archive] add project permission check based on tarchiveID #9359
Conversation
| $tarchiveID = intval($_REQUEST['tarchiveID']); | ||
| $projectID = self::getProjectFromTarchiveID($tarchiveID); | ||
| if (is_null($projectID)) { | ||
| return false; |
There was a problem hiding this comment.
Should this be return true? Otherwise no one will ever be able to see it?
(Maybe a discussion for an imaging meeting?)
There was a problem hiding this comment.
That means the TarchiveID does not exist in db or is not linked to a project.. ?
I was not sure about this. It is even possible?
There was a problem hiding this comment.
Maybe we can involve @cmadjar
There was a problem hiding this comment.
Point added to next imaging meeting.
There was a problem hiding this comment.
I'm assuming it would mean the TarchiveID is not linked to a project
There was a problem hiding this comment.
Imaging meeting: no one should see it by default.
There should be a specific permission to see the list of "dangling TarchiveIDs" (Tarchive not assigned to any Project). Also might be good to have a front-end page for that.
It will be linked to a new issue.
| */ | ||
| private function _getProjectFromTarchiveID(): ?\ProjectID | ||
| { | ||
| $db = \NDB_Factory::singleton()->database(); |
There was a problem hiding this comment.
| $db = \NDB_Factory::singleton()->database(); | |
| $db = $this->loris->getDatabaseConnection(); |
cmadjar
added
the
State: Blocked
Brief summary of changes
This PR checks the user attached projects on top of the
dicom_archive_view_allsitespermission when trying to access theview detailspage.Link(s) to related issue(s)
Resolves #6658