Merge pull request #10084 from driusan/PushForwardv2701

Push v27.0.1 into main

Author: driusan

SQL/Archive/27.0/2025-01-15-Imaging-Uploader-Site-Project-Permissions.sql

@@ -1,7 +1,8 @@
 UPDATE permissions SET code = 'imaging_uploader_allsites', description='Imaging Scans - All Sites' WHERE code='imaging_uploader';
-INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+
+INSERT IGNORE INTO permissions (code, description, moduleID, `action`, categoryID)
 SELECT 'imaging_uploader_ownsites', 'Imaging Scans - Own Sites', ID, 'View/Upload', 2 FROM modules WHERE Name='imaging_uploader';
-INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+INSERT IGNORE INTO permissions (code, description, moduleID, `action`, categoryID)
 SELECT 'imaging_uploader_nosessionid', 'Uploads with No Session Information', ID, 'View', 2 FROM modules WHERE Name='imaging_uploader';
 
 INSERT IGNORE INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) 

SQL/Archive/27.0/2025-01-31-Dicom-Archive-Permissions.sql

@@ -1,5 +1,5 @@
-INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+INSERT IGNORE INTO permissions (code, description, moduleID, `action`, categoryID)
 SELECT 'dicom_archive_nosessionid', 'DICOMs with no session ID', ID, 'View', 2 FROM modules WHERE Name='dicom_archive';
 
-INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+INSERT IGNORE INTO permissions (code, description, moduleID, `action`, categoryID)
 SELECT 'dicom_archive_view_ownsites', 'DICOMs - Own Sites', ID, 'View', 2 FROM modules WHERE Name='dicom_archive';

modules/dataquery/php/provisioners/alluserqueries.class.inc

@@ -32,7 +32,7 @@ class AllUserQueries extends \LORIS\Data\Provisioners\DBRowProvisioner
             FROM dataquery_queries dq
                 -- User named queries
                 LEFT JOIN dataquery_query_names name ON 
-                    (dq.QueryID=name.QueryID AND name.UserID=:userid)
+                    (dq.QueryID=name.QueryID)
                 -- Admin pinned top queries
                 LEFT JOIN dataquery_study_queries_rel dsq ON
                     (dq.QueryID=dsq.QueryID AND PinType='topquery')
@@ -50,7 +50,7 @@ class AllUserQueries extends \LORIS\Data\Provisioners\DBRowProvisioner
                      SELECT QueryID FROM dataquery_study_queries_rel
                         WHERE PinType='topquery'
                 )
-            GROUP BY dq.QueryID
+            GROUP BY dq.QueryID, name.Name, starred.StarredBy
             ",
             ['userid' => $user->getId()]
         );

modules/dicom_archive/php/module.class.inc

@@ -60,7 +60,7 @@ class Module extends \Module
         try {
             $this->validateConfig();
         } catch (\ConfigurationException $e) {
-            error_log($e);
+            error_log($e->getMessage());
             return (new \LORIS\Middleware\PageDecorationMiddleware(
                 $request->getAttribute("user") ?? new \LORIS\AnonymousUser()
             ))->process(

modules/document_repository/php/editcategory.class.inc

@@ -40,7 +40,7 @@ class EditCategory extends \NDB_Page
         return ($user->hasPermission('document_repository_categories')
             && $user->hasAnyPermission(
                 [
-                    'document_repository_upload',
+                    'document_repository_upload_edit',
                     'document_repository_delete',
                 ]
             )

modules/imaging_uploader/ajax/getUploadSummary.php

@@ -18,22 +18,90 @@
  * @link     https://www.github.com/Jkat/Loris-Trunk/
  */
 
-if (!\User::singleton()->hasPermission('imaging_uploader')) {
+// Base access check - user must have either of these permissions
+// more access validation after request validation
+if (!$user->hasAnyPermission(
+    [
+        'imaging_uploader_allsites',
+        'imaging_uploader_ownsites',
+    ]
+)
+) {
     http_response_code(403);
     return;
 }
+$config        = \NDB_Factory::singleton()->config();
+$advancedperms = $config->getSetting('useAdvancedPermissions');
+$user          = \NDB_Factory::singleton()->user();
+$centerString  = implode("','", $user->getCenterIDs());
+$projectString = implode("','", $user->getProjectIDs());
+$username      = $user->getUsername();
+
 if (!validRequest()) {
     http_response_code(400);
     return;
 }
 
 $uploadId = $_POST['uploadId'];
 $summary  = $_POST['summary'] === 'true';
+$DB       = \NDB_Factory::singleton()->database();
+
+// Access Control - mimic menu filter behaviour
+// MySQL order of operations dictates that ANDs get computed before ORs which
+// means this where clause can take the follwoing forms
+// 1. WHERE mu.UploadedBy='$username' OR 1=1
+//      -> returns all records
+// 2. WHERE mu.UploadedBy='$username' OR (1=1 AND s.CenterID IN ...)
+//      -> returns records for user's sites
+// 3. WHERE mu.UploadedBy='$username' OR (1=1 AND s.ProjectID IN ...)
+//      -> returns records for user's projects
+// 4. WHERE mu.UploadedBy='$username'
+//        OR (1=1 AND s.CenterID IN ... AND s.ProjectID IN ...)
+//      -> returns records for user's sites and projects
+// 5. WHERE mu.UploadedBy='$username'
+//        OR (1=1 AND s.CenterID IN ... AND s.ProjectID IN ...)
+//        OR mu.SessionID IS NULL
+//     -> returns records for user's sites and projects and null session data
+// Other combinations are possible but order of operations still applies
+$accessQuery = "SELECT * 
+     FROM mri_upload mu 
+     LEFT JOIN session s ON (s.ID = mu.SessionID)
+     ";
+$accessWhere = " WHERE (mu.UploadedBy='$username' OR 1=1 ";
+if (!$user->hasPermission('imaging_uploader_allsites')) {
+    // Create where clause for sites
+    $accessWhere = $accessWhere . " AND s.CenterID IN ('$centerString') ";
+}
+
+if ($advancedperms === 'true') {
+    // If config setting is enabled, check the user's sites and projects
+    // site/project match + user's own uploads
+    $accessWhere = $accessWhere . " AND s.ProjectID IN ('$projectString')";
+}
+
+if ($user->hasPermission('imaging_uploader_nosessionid')) {
+    // clause for accessing null session data
+    $accessWhere = $accessWhere . " OR mu.SessionID IS NULL ";
+}
+
+// Wrap entire access logic in parentheses and add AND clause for specific upload ID
+$accessWhere = $accessWhere . ") AND UploadId =:uploadId";
+
+$accessData = $DB->pselectRow(
+    $accessQuery.$accessWhere,
+    ['uploadId' => $uploadId]
+);
+
+
+if (empty($accessData)) {
+    http_response_code(403);
+    return;
+}
+
 
 /* Fetch columns Inserting and InsertionComplete from table mri_upload
  * create Database object
  */
-$DB    = \NDB_Factory::singleton()->database();
 $query = "SELECT Inserting, InsertionComplete 
           FROM mri_upload
           WHERE UploadId =:uploadId";

modules/instruments/php/visitsummary.class.inc

@@ -122,6 +122,12 @@ class VisitSummary extends \NDB_Page
                 );
                 continue;
             }
+
+            $rslt[$key] = [
+                'Test_name'     => $row['Test_name'],
+                'CommentID'     => $row['CommentID'],
+                'NumOfConflict' => $row['NumOfConflict'],
+            ];
             if ($instrument === null) {
                 $rslt[$key]['Completion'] = 0;
             } else {

php/libraries/NDB_BVL_Instrument.class.inc

@@ -1040,7 +1040,8 @@ abstract class NDB_BVL_Instrument extends NDB_Page
             ]
         );
 
-        $curr_examinerID = $this->getFieldValue("Examiner");
+        $allValues       = $this->getInstanceData();
+        $curr_examinerID = $allValues['Examiner'];
 
         list(
             $CertificationEnabled,