Loris
Loris copied to clipboard
aces
[DicomArchive] Add project permissions to Subpage
No Project-based data access controls were added to the Subpage in this module during Data Frameworkization As a result, a user can enter an url to download and see details on scans they should not have access to.
The ViewDetails:hasAccess() needs to be updated similar to these PRs :
- #6639 Imaging Browser
- #6640 Electrophysiology browser
Describe the bug A clear and concise description of what the bug is
To Reproduce
- Go to Dicom Archive module, using a User credential that has access to project A.
- Click on any scan in project A to enter its View Details page
- Copy the URL
- Using another session with a user who does not have access to project A - does this URL load? Can the scans be downloaded?
for the 23 release. Modules that only have partially enforce project permissions should be updated to resolve this, if possible.
@regisoc could you confirm if #8503 addressed this issue? I didn't see it in the PR description.
If it wasn't covered, let's leave this ticket open.
@christinerogers not covered, it was just added in the list of related issues in #8503. It should stay opened. New PR attached, I put you as reviewer.
