From 5f078445f69da9b57e417840350cfa72dc47b2c9 Mon Sep 17 00:00:00 2001
From: regisoc <regis.ongaro-carcy@mcin.ca>
Date: Tue, 24 Sep 2024 15:45:30 -0400
Subject: [PATCH 1/7] dicom archive - add project permission check based on
 tarchiveID

---
 .../dicom_archive/php/viewdetails.class.inc   | 43 ++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/modules/dicom_archive/php/viewdetails.class.inc b/modules/dicom_archive/php/viewdetails.class.inc
index b6563903374..8f8a65ac741 100644
--- a/modules/dicom_archive/php/viewdetails.class.inc
+++ b/modules/dicom_archive/php/viewdetails.class.inc
@@ -51,7 +51,48 @@ class ViewDetails extends \NDB_Form
      */
     function _hasAccess(\User $user) : bool
     {
-        return $user->hasPermission('dicom_archive_view_allsites');
+        // remove the possibility to have no tarchive ID in this page
+        if (empty($_REQUEST['tarchiveID'])) {
+            // defaults to permission denied
+            return false;
+        }
+
+        // get project ID from Tarchive ID.
+        $tarchiveID = intval($_REQUEST['tarchiveID']);
+        $projectID  = self::getProjectFromTarchiveID($tarchiveID);
+        if (is_null($projectID)) {
+            return false;
+        }
+
+        // check permissions
+        return $user->hasPermission('dicom_archive_view_allsites')
+            && $user->hasProject($projectID);
+    }
+
+    /**
+     * Get the ProjectID attached to a given tarchive ID.
+     *
+     * @param int $tarchiveID a tarchiveID
+     *
+     * @return ProjectID|null a ProjectID if found, else null
+     */
+    private static function getProjectFromTarchiveID(int $tarchiveID): ?\ProjectID
+    {
+        $db = \NDB_Factory::singleton()->database();
+        $pid = $db->pselectOne(
+            "SELECT p.ProjectID
+            FROM tarchive t
+                JOIN session s ON (t.SessionID = s.ID)
+                JOIN Project p ON (p.ProjectID = s.ProjectID)
+            WHERE t.TarchiveID = :tar
+            ORDER BY 1",
+            ['tar' => $tarchiveID]
+        );
+        //
+        if (is_null($pid)) {
+            return null;
+        }
+        return new \ProjectID($pid);
     }
 
     /**

From dad42270ecfaa13cb863877d43b91221a061b92e Mon Sep 17 00:00:00 2001
From: regisoc <regis.ongaro-carcy@mcin.ca>
Date: Tue, 24 Sep 2024 15:53:55 -0400
Subject: [PATCH 2/7] remove unnecessary line

---
 modules/dicom_archive/php/viewdetails.class.inc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/dicom_archive/php/viewdetails.class.inc b/modules/dicom_archive/php/viewdetails.class.inc
index 8f8a65ac741..cd130fddf35 100644
--- a/modules/dicom_archive/php/viewdetails.class.inc
+++ b/modules/dicom_archive/php/viewdetails.class.inc
@@ -84,8 +84,7 @@ class ViewDetails extends \NDB_Form
             FROM tarchive t
                 JOIN session s ON (t.SessionID = s.ID)
                 JOIN Project p ON (p.ProjectID = s.ProjectID)
-            WHERE t.TarchiveID = :tar
-            ORDER BY 1",
+            WHERE t.TarchiveID = :tar",
             ['tar' => $tarchiveID]
         );
         //

From aee5e8a600ce76803f0fec144207c17ca38b64db Mon Sep 17 00:00:00 2001
From: regisoc <regis.ongaro-carcy@mcin.ca>
Date: Tue, 24 Sep 2024 15:58:31 -0400
Subject: [PATCH 3/7] lint

---
 modules/dicom_archive/php/viewdetails.class.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/dicom_archive/php/viewdetails.class.inc b/modules/dicom_archive/php/viewdetails.class.inc
index cd130fddf35..d1f0704cdbf 100644
--- a/modules/dicom_archive/php/viewdetails.class.inc
+++ b/modules/dicom_archive/php/viewdetails.class.inc
@@ -76,9 +76,9 @@ class ViewDetails extends \NDB_Form
      *
      * @return ProjectID|null a ProjectID if found, else null
      */
-    private static function getProjectFromTarchiveID(int $tarchiveID): ?\ProjectID
+    private static function _getProjectFromTarchiveID(int $tarchiveID): ?\ProjectID
     {
-        $db = \NDB_Factory::singleton()->database();
+        $db  = \NDB_Factory::singleton()->database();
         $pid = $db->pselectOne(
             "SELECT p.ProjectID
             FROM tarchive t

From 0b8519c9aff298376d84e0b616f4b3546179a4ea Mon Sep 17 00:00:00 2001
From: regisoc <regis.ongaro-carcy@mcin.ca>
Date: Tue, 24 Sep 2024 16:18:32 -0400
Subject: [PATCH 4/7] projectID singleton

---
 modules/dicom_archive/php/viewdetails.class.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/dicom_archive/php/viewdetails.class.inc b/modules/dicom_archive/php/viewdetails.class.inc
index d1f0704cdbf..f7dd78f1501 100644
--- a/modules/dicom_archive/php/viewdetails.class.inc
+++ b/modules/dicom_archive/php/viewdetails.class.inc
@@ -91,7 +91,7 @@ class ViewDetails extends \NDB_Form
         if (is_null($pid)) {
             return null;
         }
-        return new \ProjectID($pid);
+        return \ProjectID::singleton($pid);
     }
 
     /**

From 2b59569fbf6b1195297eaf8df3bbe5dec03f13f5 Mon Sep 17 00:00:00 2001
From: regisoc <regis.ongaro-carcy@mcin.ca>
Date: Tue, 24 Sep 2024 16:39:51 -0400
Subject: [PATCH 5/7] use loadResources to preload GET tarchiveID

---
 .../dicom_archive/php/viewdetails.class.inc   | 34 ++++++++++++++-----
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/modules/dicom_archive/php/viewdetails.class.inc b/modules/dicom_archive/php/viewdetails.class.inc
index f7dd78f1501..bad0009eabf 100644
--- a/modules/dicom_archive/php/viewdetails.class.inc
+++ b/modules/dicom_archive/php/viewdetails.class.inc
@@ -13,6 +13,8 @@
  */
 namespace LORIS\dicom_archive;
 
+use \Psr\Http\Message\ServerRequestInterface;
+
 /**
  * Implements the ViewDetails subpage of the dicom_archive module.
  *
@@ -52,14 +54,13 @@ class ViewDetails extends \NDB_Form
     function _hasAccess(\User $user) : bool
     {
         // remove the possibility to have no tarchive ID in this page
-        if (empty($_REQUEST['tarchiveID'])) {
+        if (is_null($this->tarchiveID)) {
             // defaults to permission denied
             return false;
         }
 
         // get project ID from Tarchive ID.
-        $tarchiveID = intval($_REQUEST['tarchiveID']);
-        $projectID  = self::getProjectFromTarchiveID($tarchiveID);
+        $projectID  = $this->_getProjectFromTarchiveID();
         if (is_null($projectID)) {
             return false;
         }
@@ -70,13 +71,30 @@ class ViewDetails extends \NDB_Form
     }
 
     /**
-     * Get the ProjectID attached to a given tarchive ID.
+     * {@inheritDoc}
+     *
+     * @param \User                  $user    The user this request is for
+     * @param ServerRequestInterface $request The PSR7 request
      *
-     * @param int $tarchiveID a tarchiveID
+     * @return void
+     */
+    public function loadResources(
+        \User $user, ServerRequestInterface $request
+    ) : void {
+        $gets = $request->getQueryParams();
+        if (is_null($gets['tarchiveID'])) {
+            $this->tarchiveID = null;
+        } else {
+            $this->tarchiveID = intval($gets['tarchiveID']);
+        }
+    }
+
+    /**
+     * Get the ProjectID attached to a given tarchive ID.
      *
-     * @return ProjectID|null a ProjectID if found, else null
+     * @return \ProjectID|null a ProjectID if found, else null
      */
-    private static function _getProjectFromTarchiveID(int $tarchiveID): ?\ProjectID
+    private function _getProjectFromTarchiveID(): ?\ProjectID
     {
         $db  = \NDB_Factory::singleton()->database();
         $pid = $db->pselectOne(
@@ -85,7 +103,7 @@ class ViewDetails extends \NDB_Form
                 JOIN session s ON (t.SessionID = s.ID)
                 JOIN Project p ON (p.ProjectID = s.ProjectID)
             WHERE t.TarchiveID = :tar",
-            ['tar' => $tarchiveID]
+            ['tar' => $this->tarchiveID]
         );
         //
         if (is_null($pid)) {

From f696d58ec53de740a8716e91d0e56a0130ae74f6 Mon Sep 17 00:00:00 2001
From: regisoc <regis.ongaro-carcy@mcin.ca>
Date: Tue, 24 Sep 2024 16:43:22 -0400
Subject: [PATCH 6/7] lint

---
 modules/dicom_archive/php/viewdetails.class.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/dicom_archive/php/viewdetails.class.inc b/modules/dicom_archive/php/viewdetails.class.inc
index bad0009eabf..0e7446cf4db 100644
--- a/modules/dicom_archive/php/viewdetails.class.inc
+++ b/modules/dicom_archive/php/viewdetails.class.inc
@@ -60,7 +60,7 @@ class ViewDetails extends \NDB_Form
         }
 
         // get project ID from Tarchive ID.
-        $projectID  = $this->_getProjectFromTarchiveID();
+        $projectID = $this->_getProjectFromTarchiveID();
         if (is_null($projectID)) {
             return false;
         }

From 2fe02299544d7c153ca266ab15123aa61458ef3b Mon Sep 17 00:00:00 2001
From: regisoc <regis.ongaro-carcy@mcin.ca>
Date: Tue, 24 Sep 2024 16:48:32 -0400
Subject: [PATCH 7/7] phan

---
 modules/dicom_archive/php/viewdetails.class.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/dicom_archive/php/viewdetails.class.inc b/modules/dicom_archive/php/viewdetails.class.inc
index 0e7446cf4db..ccb11d3c9ee 100644
--- a/modules/dicom_archive/php/viewdetails.class.inc
+++ b/modules/dicom_archive/php/viewdetails.class.inc
@@ -109,7 +109,7 @@ class ViewDetails extends \NDB_Form
         if (is_null($pid)) {
             return null;
         }
-        return \ProjectID::singleton($pid);
+        return \ProjectID::singleton(intval($pid));
     }
 
     /**