Update Openspecimen to 6.3RC8 #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…d specimen requirements.
…ge as per the "Toast Display Time" settings.
… used to find the translation...
Retrieving specimens from OpenSpecimen will send a pick request to the freezer. Specimens are removed from the container only on receiving the picked notification from freezer. Specimens stored in automated freezers cannot be distributed, shipped, transferred to another container, disposed, deleted or checked out. They must be first retrieved from the automated freezer before performing any of the aforementioned ops.
1. Allowed users to configure different reports for container shipments and specimen shipments. The existing report is treated as specimen shipment report. For container shipments, the container shipment report is used, if configured. Otherwise, the default specimen shipment report is used. For specimen shipments, the default/existing specimen shipment report is used. 2. Fixed the query SQL generator to automatically use the same set of fields in the order by clause as the group by clause. This ensures the container shipment report using aggregate function generates the container names / rows in the same order as UI. Added container shipment item ID field to the query model. Using this field in the report ensures the order in the report is the same as in UI. 3. Allowed users to track the shipment request status. There is no business logic associated with this status. Any user having shipment update right can change the request status. The request status can be configured using the Dropdown manager - Shipment Request Status. The default statuses shipped with the app are - Approved, In Progress, Fulfilled.
…st status is modified. The email notification is sent to the shipment notif users, if any, shipment sender, shipment requester. The email clearly highlights the old status and new status. Allowed users to filter the shipments list based on the request status. It is obvious the next request from users would be to see the request status on the list view. Therefore the request status is also shown in the list view along with the shipment status.
… on specimens table. This ensures not all specimens are scanned when querying the reserved specimens.
collect one or more pending specimens.
… the participant has consented This check is performed only if econsents plugin is installed and validation rules are defined at the CP level.
… list size. a) Added an API in user roles module to obtain the count of roles satisfying the user criteria. b) Fixed the cart specimens UI to retrieve the count of specimens
Clicking on the schedule option in the queries list view navigates users to the "Add Schedule Job" with the selected query pre-populated. This function was broken when we implemented the scheduled jobs UI in the new framework.
…rs can download the files and signatures. Knowing file ID alone is no longer sufficient to download the files... Added a migration script to crawl through all the existing forms and their records, store their file IDs in the dyextn_form_files table along with the form records (IDs) owning them: (form_id, record_id, file_id) When a file with certain ID is requested for download, the API searches for the relevant record using file ID as the key. The download request is honored if the record is found and the user has read access on the record (form_id, record_id). Otherwise, the request is rejected.
…d on the file contents.
Do not rely solely on the user supplied content type or file extension to decide whether to
allow or reject the upload.
Here's the process
File -> Auto detect the content type
-> Using content type, guess the file type/extension
-> Check whether the guessed file type/extension is one of the allowed
-> If yes, go to next step. Otherwise, reject the upload.
-> Check whether the uploaded file extension is one of the allowed
-> If yes, allow the upload. Otherwise, reject the upload.
Case where it doesn't work:
JavaScript, Python programming files are detected as text/plain, which in
turn translates to .txt file. So if the system is configured to reject the
upload of such files then it fails when the JS/Python files are uploaded as .txt
IMO, this is OK. Because these are not readily executable...
1. Sanitised the user input before rendering on the UI. 2. Implemented evalJavaScript function that runs user provided JavaScripts in the sandboxed environment devoid of window, document, localStorage, cookies and all other facilities that could be deemed as security threat.
get rid of the dynamically string formatted HQLs. This is done to ensure there are no false alarms by the code scanning tools. Used the criteria API to construct dynamic query and get the required results.
…y threats) 1. Created temp files inside $OS_DATA/tmp directory instead of one the specified in java.io.tmpdir. This ensures temporary files can be accessed by only those VM users who have access to OpenSpecimen data. 2. Measures to prevent ZIP bomb attacks. This is done by ensuring, the number of files/entries in the inflated ZIP are not more than 100 and cumulative inflated size is not more than 1GB. 3. Replaced the regular expression that take polynomial time with the simpler & restricted string manipulation logic. 4. Used SecureRandom to generate pseudo-random numbers instead of Random. Even Random was safe because it was invoked as many times as the number of digits in the OTP. 5. Ensured all the stack traces are printed in OpenSpecimen log files instead of Tomcat's console/log file.
Following requests are allowed: 1) Requests without Origin header 2) Requests with Origin header value matching the requested URL/resource 3) Requests with Origin header value present/whitelisted in "Allowed Request Origins" setting All other requests are rejected. If a request has no Origin such requests are allowed.
custom fields when the visit status was set to Missed Collection. With this change, all fields are displayed all time irrespective of the visit status unless explicit show/hide conditions are configured for the individual fields...
Problem: the context passed to evaluate the rules was missing CP & specimen details...
…mining whether the user has appropriate rights to view the form data & its files or not.
…ioned in the system
…n the hierarchical relationship between requirements (sans SR codes) when exporting and importing on 2 different instances. 1. UID and Parent UID is added when exporting the requirements. These are transient fields that do not exist in the database or query results. 2. The UIDs if present are used by the importer to identify & create the parent-child relationship. 3. UID is used only if the SR codes cannot be used
1. Allow use of $extendedObj in rules specified in the custom fields form. 2. Allow use of unqualified names
(Survey authentication context)
…ult-current-date attribute is specified on the widget.
…t to the context...
(when the users switche to survey mode as signed-in user)
via locale API response instead of making a config-setting API call. The config-setting API call requires authenticated session, which is not available in the survey mode.
Useful in compiling the econsent HTML docs into virtual DOM that will be rendered by Vue...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Getting the newest branch from openspecimen