Realined with dicom archive

aces · Feb 5, 2025 · 2c008dd · 2c008dd
1 parent c693a97
commit 2c008dd
Show file tree

Hide file tree

Showing 13 changed files with 103 additions and 71 deletions.
diff --git a/SQL/0000-00-02-Permission.sql b/SQL/0000-00-02-Permission.sql
@@ -98,7 +98,7 @@ INSERT INTO `permissions` VALUES
     (26,'document_repository_view','Documents',(SELECT ID FROM modules WHERE Name='document_repository'),'View','2'),
     (27,'document_repository_delete','Documents',(SELECT ID FROM modules WHERE Name='document_repository'),'Delete','2'),
     (28,'server_processes_manager','Processes',(SELECT ID FROM modules WHERE Name='server_processes_manager'),'View','2'),
-    (29,'imaging_uploader','Imaging Scans',(SELECT ID FROM modules WHERE Name='imaging_uploader'),'View/Upload','2'),
+    (29,'imaging_uploader_allsites','Imaging Scans - All Sites',(SELECT ID FROM modules WHERE Name='imaging_uploader'),'View/Upload','2'),
     (30,'acknowledgements_view','Acknowledgee List',(SELECT ID FROM modules WHERE Name='acknowledgements'),'View','2'),
     (31,'acknowledgements_edit','Acknowledgee List',(SELECT ID FROM modules WHERE Name='acknowledgements'),'Edit','2'),
     (32,'dataquery_view','Cross-Modality Data',(SELECT ID FROM modules WHERE Name='dataquery'),'View/Download','2'),
@@ -137,7 +137,8 @@ INSERT INTO `permissions` VALUES
     (65,'schedule_module','Schedule Module - edit and delete the appointment',(SELECT ID FROM modules WHERE Name='schedule_module'),'View/Create/Edit','2'),
     (66,'document_repository_categories','Categories',(SELECT ID FROM modules WHERE Name='document_repository'), 'Edit/Upload/Delete', '2'),
     (67,'document_repository_hidden','Restricted files',(SELECT ID FROM modules WHERE Name='document_repository'), 'View', '2'),
-    (68,'imaging_uploader_nosessionid', 'uploads with no session ID', (SELECT ID FROM modules WHERE Name='imaging_uploader'), 'View', 2);
+    (68,'imaging_uploader_ownsites', 'Imaging Scans - Own Sites', (SELECT ID FROM modules WHERE Name='imaging_uploader'), 'View', '2'),
+    (68,'imaging_uploader_nosessionid', 'Imaging Scans with no session ID', (SELECT ID FROM modules WHERE Name='imaging_uploader'), 'View', '2');
 
 INSERT INTO `user_perm_rel` (userID, permID)
   SELECT u.ID, p.permID

diff --git a/SQL/0000-00-03-ConfigTables.sql b/SQL/0000-00-03-ConfigTables.sql
@@ -97,7 +97,7 @@ INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType,
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'LegoPhantomRegex', 'Regex for identifying a Lego Phantom scan header', 1, 0, 'text', ID, 'Lego phantom regex', 3 FROM ConfigSettings WHERE Name="imaging_modules";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'LivingPhantomRegex', 'Regex to be used on Living Phantom scan header', 1, 0, 'text', ID, 'Living phantom regex', 4 FROM ConfigSettings WHERE Name="imaging_modules";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'showTransferStatus', 'Show transfer status in the DICOM Archive table', 1, 0, 'boolean', ID, 'Show transfer status', 5 FROM ConfigSettings WHERE Name="imaging_modules";
-INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'useSiteProjectPermissions', 'Only allow users access to data with a sessionID (for site and project access restrictions). Bypassed by each module `nosessionid` permission for admins', 1, 0, 'boolean', ID, 'Use Site Project Permissions', 6 FROM ConfigSettings WHERE Name='imaging_modules';
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'useImagingSiteProjectPermissions', 'Restricts access to data based on both sites and project. Allows access to data with no session affiliated using a special permission only', 1, 0, 'boolean', ID, 'Use Advanced Site Project Permissions', 6 FROM ConfigSettings WHERE Name="imaging_modules";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'tblScanTypes', 'Scan types from the mri_scan_type table that the project wants to see displayed in Imaging Browser table', 1, 1, 'scan_type', ID, 'Imaging Browser Tabulated Scan Types', 7 FROM ConfigSettings WHERE Name="imaging_modules";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'ImagingBrowserLinkedInstruments', 'Instruments that the users want to see linked from Imaging Browser', 1, 1, 'instrument', ID, 'Imaging Browser Links to Instruments', 8 FROM ConfigSettings WHERE Name="imaging_modules";
 
@@ -233,7 +233,7 @@ INSERT INTO Config (ConfigID, Value) SELECT ID, "." FROM ConfigSettings WHERE Na
 INSERT INTO Config (ConfigID, Value) SELECT ID, "(?i)phantom" FROM ConfigSettings WHERE Name="LegoPhantomRegex";
 INSERT INTO Config (ConfigID, Value) SELECT ID, "(?i)phantom" FROM ConfigSettings WHERE Name="LivingPhantomRegex";
 INSERT INTO Config (ConfigID, Value) SELECT ID, "false" FROM ConfigSettings WHERE Name="showTransferStatus";
-INSERT INTO Config (ConfigID, Value) SELECT ID, "false" FROM ConfigSettings WHERE Name="useSiteProjectPermissions";
+INSERT INTO Config (ConfigID, Value) SELECT ID, "false" FROM ConfigSettings WHERE Name="useImagingSiteProjectPermissions";
 INSERT INTO Config (ConfigID, Value) SELECT cs.ID, GROUP_CONCAT(mst.MriScanTypeName) FROM ConfigSettings cs JOIN mri_scan_type mst WHERE cs.Name="tblScanTypes" AND mst.MriScanTypeID=44;
 INSERT INTO Config (ConfigID, Value) SELECT cs.ID, GROUP_CONCAT(mst.MriScanTypeName) FROM ConfigSettings cs JOIN mri_scan_type mst WHERE cs.Name="tblScanTypes" AND mst.MriScanTypeID=45;
 INSERT INTO Config (ConfigID, Value) SELECT cs.ID, "mri_parameter_form" FROM ConfigSettings cs WHERE cs.Name="ImagingBrowserLinkedInstruments";

diff --git a/SQL/New_patches/2025-01-15-Imaging_modules_site_project_permissions.sql b/SQL/New_patches/2025-01-15-Imaging_modules_site_project_permissions.sql
diff --git a/SQL/New_patches/2025-01-15-Imaging_uploader_site_project_permissions.sql b/SQL/New_patches/2025-01-15-Imaging_uploader_site_project_permissions.sql
@@ -0,0 +1,8 @@
+UPDATE permissions SET code = 'imaging_uploader_allsites', description='Imaging Scans - All Sites' WHERE code='imaging_uploader';
+INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+SELECT 'imaging_uploader_ownsites', 'Imaging Scans - Own Sites', ID, 'View/Upload', 2 FROM modules WHERE Name='imaging_uploader';
+INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+SELECT 'imaging_uploader_nosessionid', 'Uploads with No Session Information', ID, 'View', 2 FROM modules WHERE Name='imaging_uploader';
+
+INSERT IGNORE INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) 
+SELECT 'useImagingSiteProjectPermissions', 'Restricts access to data based on both sites and project. Allows access to data with no session affiliated using a special permission only', 1, 0, 'boolean', ID, 'Use Advanced Site Project Permissions', 6 FROM ConfigSettings WHERE Name='imaging_modules';
diff --git a/modules/imaging_uploader/README.md b/modules/imaging_uploader/README.md
@@ -53,15 +53,26 @@ For a successful upload:
 
 #### Module Permission
 
-The imaging uploader module uses the permission called `imaging_uploader` that 
-is necessary to have access to the module and gives the user the ability to 
-upload and browse all scans uploaded to the database.
-
-The `imaging_uploader_nosessionid` (Imaging Uploader: View uploads with no session ID) 
-allows to partially bypass the `useSiteProjectPermissions` configuration (see Configurations 
-section below) to see all uploads not associated to a site or project (no session 
-ID found on upload)
-
+*In the interest of backwards compatibility, permission behaviour varies slightly 
+based on the `useImagingSiteProjectPermissions` configuration*
+
+Any of the following permissions grants access to the module.
+
+`imaging_uploader_allsites`: 
+ - If `useImagingSiteProjectPermissions` is disabled, this permission gives access 
+ to all Uploads in the database (backwards compatible with projects not requiring a 
+ session ID to be defined).
+ - If `useImagingSiteProjectPermissions` is enabled, this permission gives access to 
+ all Uploads as long as they are associated to a session and the session is affiliated
+ to a project that the user is affiliated with. When combined with `imaging_uploader_nosessionid`, user gets access to their projects' data as well as Uploads with no session ID associated.
+
+`imaging_uploader_ownsites`: 
+ - If `useImagingSiteProjectPermissions` is disabled, this permission gives access 
+ to all Uploads as long as they are associated to a session and the session is affiliated
+ to a site that the user is affiliated with. When combined with `imaging_uploader_nosessionid`, user gets access to their sites' data as well as Uploads with no session ID associated.
+ - If `useImagingSiteProjectPermissions` is enabled, this permission gives access to 
+ all Uploads as long as they are associated to a session and the session is affiliated
+ to both a site and a project that the user is affiliated with. When combined with `imaging_uploader_nosessionid`, user gets access to their projects' and sites' data as well as Uploads with no session ID associated.
 
 #### Filesystem Permission
 
@@ -99,14 +110,13 @@ MRIUploadIncomingPath - This setting determines where on the filesystem the
         `MRIUploadIncomingPath`following a successful archival and insertion 
         through the LORIS-MRI pipeline. 
 
-useSiteProjectPermissions - This setting enables Site and Project access restrictions 
-        for users. If enabled, users accessing the module can only see uploads where a 
-        session ID has been found and are thus linked to the site and project of the 
-        session AND the site and project match the user's. Users can also see any file
-        they have uploaded themselves regardless of if a sesssion ID has been found. 
-        This setting can be PARTIALLY bypassed by the `imaging_uploader_nosessionid` 
-        permission (partially only because the permission will also append any upload 
-        with no site or project)
+The `useImagingSiteProjectPermissions` configuration enables more advanced Site and 
+Project access control (Although Site permissions are enabled without this 
+configuration, "all sites" gives access to data with no Session ID if this 
+configuration is turned off). If enabled, users accessing the module can only see 
+data where a session ID has been found and are thus linked to the site and project 
+of the session AND the site and project match the user's. Access to data with no 
+session is granted by the `imaging_uploader_nosessionid` permission (see permissions section)
 
 
 ## Interactions with LORIS

diff --git a/modules/imaging_uploader/php/imaging_uploader.class.inc b/modules/imaging_uploader/php/imaging_uploader.class.inc
@@ -49,7 +49,12 @@ class Imaging_Uploader extends \NDB_Menu_Filter_Form
      */
     function _hasAccess(\User $user) : bool
     {
-        return $user->hasPermission('imaging_uploader');
+        return $user->hasAnyPermission(
+            [
+                'imaging_uploader_allsites',
+                'imaging_uploader_ownsites',
+            ]
+        );
     }
     /**
      * Sets up the Filter Variables
@@ -60,37 +65,44 @@ class Imaging_Uploader extends \NDB_Menu_Filter_Form
     {
         $config           = \NDB_Factory::singleton()->config();
         $siteprojectperms = $config->getSetting(
-            'useSiteProjectPermissions'
+            'useImagingSiteProjectPermissions'
         );
+        $user          = \NDB_Factory::singleton()->user();
+        $centerString  = implode("','", $user->getCenterIDs());
+        $projectString = implode("','", $user->getProjectIDs());
+        $username      = $user->getUsername();
+
+        // MySQL order of operations dictates that ANDs get computed before ORs which
+        // means this where clause can take the follwoing forms
+        // 1. WHERE mu.UploadedBy='$username' OR 1=1
+        //      -> returns all records
+        // 2. WHERE mu.UploadedBy='$username' OR (1=1 AND s.CenterID IN ...)
+        //      -> returns records for user's sites
+        // 3. WHERE mu.UploadedBy='$username' OR (1=1 AND s.ProjectID IN ...)
+        //      -> returns records for user's projects
+        // 4. WHERE mu.UploadedBy='$username'
+        //        OR (1=1 AND s.CenterID IN ... AND s.ProjectID IN ...)
+        //      -> returns records for user's sites and projects
+        // 5. WHERE mu.UploadedBy='$username'
+        //        OR (1=1 AND s.CenterID IN ... AND s.ProjectID IN ...)
+        //        OR mu.SessionID IS NULL
+        //     -> returns records for user's sites and projects and null session data
+        // Other combinations are possible but order of operations still applies
+        $where = "WHERE mu.UploadedBy='$username' OR 1=1 ";
+        if (!$user->hasPermission('imaging_uploader_allsites')) {
+            // Create where clause for sites
+            $where = $where . " AND s.CenterID IN ('$centerString') ";
+        }
 
-        $where = '';
         if ($siteprojectperms === 'true') {
             // If config setting is enabled, check the user's sites and projects
-            // and add the WHERE clause to exclude any records that the user does
-            // not have access to. UNLESS user has 'imaging_uploader_nosessionid'
-            $user          = \NDB_Factory::singleton()->user();
-            $centerString  = implode("','", $user->getCenterIDs());
-            $projectString = implode("','", $user->getProjectIDs());
-            $username      = $user->getUsername();
-
-            if ($user->hasPermission('imaging_uploader_nosessionid')) {
-                // site/project match + null sites and projects + user's own uploads
-                $where = " WHERE 
-                            (s.CenterID IN ('$centerString') 
-                             AND 
-                             s.ProjectID IN ('$projectString')
-                            ) OR mu.UploadedBy='$username'
-                              OR s.CenterID IS NULL
-                              OR s.ProjectID IS NULL";
+            // site/project match + user's own uploads
+            $where = $where . " AND s.ProjectID IN ('$projectString')";
+        }
 
-            } else {
-                // site/project match + user's own uploads
-                $where = " WHERE 
-                            (s.CenterID IN ('$centerString') 
-                             AND 
-                             s.ProjectID IN ('$projectString')
-                            ) OR mu.UploadedBy='$username'";
-            }
+        if ($user->hasPermission('imaging_uploader_nosessionid')) {
+            // clause for accessing null session data
+            $where = $where . " OR mu.SessionID IS NULL ";
         }
 
         $this->_resetFilters();
@@ -124,21 +136,20 @@ class Imaging_Uploader extends \NDB_Menu_Filter_Form
                               " LEFT JOIN candidate c ON (c.CandID = s.CandID)".
                               " LEFT JOIN tarchive ta ON".
                               " (mu.TarchiveID = ta.TarchiveID)";
-        if ($siteprojectperms === 'true') {
-            $this->query .= $where;
-        }
+        $this->query       .= $where;
         $this->formToFilter = [
             'CandID'      => 's.CandID',
             'PSCID'       => 'c.PSCID',
             'Visit_label' => 's.Visit_label',
             'IsPhantom'   => 'mu.IsPhantom',
         ];
     }
-     /**
-      * Sets up the menu filter items for the imaging uploader
-      *
-      * @return void
-      */
+
+    /**
+     * Sets up the menu filter items for the imaging uploader
+     *
+     * @return void
+     */
     function setup()
     {
         parent::setup();

diff --git a/modules/imaging_uploader/php/module.class.inc b/modules/imaging_uploader/php/module.class.inc
@@ -36,7 +36,12 @@ class Module extends \Module
      */
     public function hasAccess(\User $user) : bool
     {
-        return parent::hasAccess($user) && $user->hasPermission('imaging_uploader');
+        return parent::hasAccess($user) && $user->hasAnyPermission(
+            [
+                'imaging_uploader_allsites',
+                'imaging_uploader_ownsites',
+            ]
+        );
     }
 
     /**

diff --git a/modules/imaging_uploader/test/TestPlan.md b/modules/imaging_uploader/test/TestPlan.md
@@ -4,20 +4,20 @@
    [Automation Testing]
 2. Ensure that upon loading, the Imaging Uploader page has the 'Browse' and 'Upload' tabs.  
    [Manual Testing]
-3. Set the `useSiteProjectPermissions` (Use Site Project Permissions) Configuration to NO and make sure your
+3. Set the `useImagingSiteProjectPermissions` (Use Site Project Permissions) Configuration to NO and make sure your
    user does NOT have the `imaging_uploader_nosessionid` permission (do not use superuser)
    [Manual Testing]
 4. Check that when accessing the Imaging Uploader page, the 'Browse' tab displays all the uploads done for all users.
    [Automation Testing]
-5. Change the `useSiteProjectPermissions` (Use Site Project Permissions) Configuration to YES and make sure your
+5. Change the `useImagingSiteProjectPermissions` (Use Site Project Permissions) Configuration to YES and make sure your
    user does NOT have the `imaging_uploader_nosessionid` permission (do not use superuser)
    [Manual Testing]
 6. Check that when accessing the Imaging Uploader page, the 'Browse' tab displays all the uploads done where 
    the upload's associated session ID matches the user's sites and projects.
    [Manual Testing]
 7. Check that when accessing the Imaging Uploader page, the 'Browse' tab displays all the uploads done by the logged in user.
    [Manual Testing]
-8. keep the `useSiteProjectPermissions` (Use Site Project Permissions) Configuration to YES and make sure your
+8. keep the `useImagingSiteProjectPermissions` (Use Site Project Permissions) Configuration to YES and make sure your
    user HAS the `imaging_uploader_nosessionid` permission (do not use superuser)
    [Manual Testing]
 9. Check that the user still has access to uploads decribed in #6 and #7

diff --git a/modules/imaging_uploader/test/imaging_uploaderTest.php b/modules/imaging_uploader/test/imaging_uploaderTest.php
@@ -174,7 +174,7 @@ function testImagingUploaderLoadWithoutPermission()
      */
     function testImagingUploaderLoadWithPermission()
     {
-        $this->setupPermissions(["imaging_uploader"]);
+        $this->setupPermissions(["imaging_uploader_allsites"]);
         $this->safeGet($this->url . '/imaging_uploader/');
         $bodyText = $this->safeFindElement(
             WebDriverBy::cssSelector("body")

diff --git a/raisinbread/RB_files/RB_Config.sql b/raisinbread/RB_files/RB_Config.sql
@@ -107,6 +107,6 @@ INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (126,129,'365');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (127,130,'/var/www/loris/');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (128,131,'/data/EEGUploadIncomingPath/');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (129,132,'false');
-
+INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (130,133,'false');
 UNLOCK TABLES;
 SET FOREIGN_KEY_CHECKS=1;