[imaging_uploader] Site&Project check with confgi setting and permission

aces · Feb 5, 2025 · c693a97 · c693a97
1 parent 5e37d6a
commit c693a97
Show file tree

Hide file tree

Showing 8 changed files with 151 additions and 69 deletions.
diff --git a/SQL/0000-00-02-Permission.sql b/SQL/0000-00-02-Permission.sql
@@ -136,7 +136,8 @@ INSERT INTO `permissions` VALUES
     (64,'dataquery_admin','Admin dataquery queries',(SELECT ID FROM modules WHERE Name='dataquery'),NULL,'2'),
     (65,'schedule_module','Schedule Module - edit and delete the appointment',(SELECT ID FROM modules WHERE Name='schedule_module'),'View/Create/Edit','2'),
     (66,'document_repository_categories','Categories',(SELECT ID FROM modules WHERE Name='document_repository'), 'Edit/Upload/Delete', '2'),
-    (67,'document_repository_hidden','Restricted files',(SELECT ID FROM modules WHERE Name='document_repository'), 'View', '2');
+    (67,'document_repository_hidden','Restricted files',(SELECT ID FROM modules WHERE Name='document_repository'), 'View', '2'),
+    (68,'imaging_uploader_nosessionid', 'uploads with no session ID', (SELECT ID FROM modules WHERE Name='imaging_uploader'), 'View', 2);
 
 INSERT INTO `user_perm_rel` (userID, permID)
   SELECT u.ID, p.permID

diff --git a/SQL/0000-00-03-ConfigTables.sql b/SQL/0000-00-03-ConfigTables.sql
@@ -97,8 +97,9 @@ INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType,
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'LegoPhantomRegex', 'Regex for identifying a Lego Phantom scan header', 1, 0, 'text', ID, 'Lego phantom regex', 3 FROM ConfigSettings WHERE Name="imaging_modules";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'LivingPhantomRegex', 'Regex to be used on Living Phantom scan header', 1, 0, 'text', ID, 'Living phantom regex', 4 FROM ConfigSettings WHERE Name="imaging_modules";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'showTransferStatus', 'Show transfer status in the DICOM Archive table', 1, 0, 'boolean', ID, 'Show transfer status', 5 FROM ConfigSettings WHERE Name="imaging_modules";
-INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'tblScanTypes', 'Scan types from the mri_scan_type table that the project wants to see displayed in Imaging Browser table', 1, 1, 'scan_type', ID, 'Imaging Browser Tabulated Scan Types', 6 FROM ConfigSettings WHERE Name="imaging_modules";
-INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'ImagingBrowserLinkedInstruments', 'Instruments that the users want to see linked from Imaging Browser', 1, 1, 'instrument', ID, 'Imaging Browser Links to Instruments', 7 FROM ConfigSettings WHERE Name="imaging_modules";
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'useSiteProjectPermissions', 'Only allow users access to data with a sessionID (for site and project access restrictions). Bypassed by each module `nosessionid` permission for admins', 1, 0, 'boolean', ID, 'Use Site Project Permissions', 6 FROM ConfigSettings WHERE Name='imaging_modules';
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'tblScanTypes', 'Scan types from the mri_scan_type table that the project wants to see displayed in Imaging Browser table', 1, 1, 'scan_type', ID, 'Imaging Browser Tabulated Scan Types', 7 FROM ConfigSettings WHERE Name="imaging_modules";
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'ImagingBrowserLinkedInstruments', 'Instruments that the users want to see linked from Imaging Browser', 1, 1, 'instrument', ID, 'Imaging Browser Links to Instruments', 8 FROM ConfigSettings WHERE Name="imaging_modules";
 
 
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, Label, OrderNumber) VALUES ('statistics', 'Statistics module settings', 1, 0, 'Statistics', 7);
@@ -232,6 +233,7 @@ INSERT INTO Config (ConfigID, Value) SELECT ID, "." FROM ConfigSettings WHERE Na
 INSERT INTO Config (ConfigID, Value) SELECT ID, "(?i)phantom" FROM ConfigSettings WHERE Name="LegoPhantomRegex";
 INSERT INTO Config (ConfigID, Value) SELECT ID, "(?i)phantom" FROM ConfigSettings WHERE Name="LivingPhantomRegex";
 INSERT INTO Config (ConfigID, Value) SELECT ID, "false" FROM ConfigSettings WHERE Name="showTransferStatus";
+INSERT INTO Config (ConfigID, Value) SELECT ID, "false" FROM ConfigSettings WHERE Name="useSiteProjectPermissions";
 INSERT INTO Config (ConfigID, Value) SELECT cs.ID, GROUP_CONCAT(mst.MriScanTypeName) FROM ConfigSettings cs JOIN mri_scan_type mst WHERE cs.Name="tblScanTypes" AND mst.MriScanTypeID=44;
 INSERT INTO Config (ConfigID, Value) SELECT cs.ID, GROUP_CONCAT(mst.MriScanTypeName) FROM ConfigSettings cs JOIN mri_scan_type mst WHERE cs.Name="tblScanTypes" AND mst.MriScanTypeID=45;
 INSERT INTO Config (ConfigID, Value) SELECT cs.ID, "mri_parameter_form" FROM ConfigSettings cs WHERE cs.Name="ImagingBrowserLinkedInstruments";

diff --git a/SQL/New_patches/2025-01-15-Imaging_modules_site_project_permissions.sql b/SQL/New_patches/2025-01-15-Imaging_modules_site_project_permissions.sql
@@ -0,0 +1,5 @@
+INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+SELECT 'imaging_uploader_nosessionid', 'uploads with no session ID', ID, 'View', 2 FROM modules WHERE Name='imaging_uploader';
+
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) 
+SELECT 'useSiteProjectPermissions', 'Only allow users access to data with a sessionID (for site and project access restrictions). Bypassed by module `nosessionid` permissions for admins', 1, 0, 'boolean', ID, 'Use Site Project Permissions', 6 FROM ConfigSettings WHERE Name='imaging_modules';
diff --git a/modules/imaging_uploader/README.md b/modules/imaging_uploader/README.md
@@ -53,10 +53,16 @@ For a successful upload:
 
 #### Module Permission
 
-The imaging uploader module uses one permission called `imaging_uploader` that 
+The imaging uploader module uses the permission called `imaging_uploader` that 
 is necessary to have access to the module and gives the user the ability to 
 upload and browse all scans uploaded to the database.
 
+The `imaging_uploader_nosessionid` (Imaging Uploader: View uploads with no session ID) 
+allows to partially bypass the `useSiteProjectPermissions` configuration (see Configurations 
+section below) to see all uploads not associated to a site or project (no session 
+ID found on upload)
+
+
 #### Filesystem Permission
 
 The path on the filesystem where the uploaded file go 
@@ -93,6 +99,15 @@ MRIUploadIncomingPath - This setting determines where on the filesystem the
         `MRIUploadIncomingPath`following a successful archival and insertion 
         through the LORIS-MRI pipeline. 
 
+useSiteProjectPermissions - This setting enables Site and Project access restrictions 
+        for users. If enabled, users accessing the module can only see uploads where a 
+        session ID has been found and are thus linked to the site and project of the 
+        session AND the site and project match the user's. Users can also see any file
+        they have uploaded themselves regardless of if a sesssion ID has been found. 
+        This setting can be PARTIALLY bypassed by the `imaging_uploader_nosessionid` 
+        permission (partially only because the permission will also append any upload 
+        with no site or project)
+
 
 ## Interactions with LORIS
 

diff --git a/modules/imaging_uploader/php/imaging_uploader.class.inc b/modules/imaging_uploader/php/imaging_uploader.class.inc
@@ -58,6 +58,41 @@ class Imaging_Uploader extends \NDB_Menu_Filter_Form
      */
     function _setupVariables()
     {
+        $config           = \NDB_Factory::singleton()->config();
+        $siteprojectperms = $config->getSetting(
+            'useSiteProjectPermissions'
+        );
+
+        $where = '';
+        if ($siteprojectperms === 'true') {
+            // If config setting is enabled, check the user's sites and projects
+            // and add the WHERE clause to exclude any records that the user does
+            // not have access to. UNLESS user has 'imaging_uploader_nosessionid'
+            $user          = \NDB_Factory::singleton()->user();
+            $centerString  = implode("','", $user->getCenterIDs());
+            $projectString = implode("','", $user->getProjectIDs());
+            $username      = $user->getUsername();
+
+            if ($user->hasPermission('imaging_uploader_nosessionid')) {
+                // site/project match + null sites and projects + user's own uploads
+                $where = " WHERE 
+                            (s.CenterID IN ('$centerString') 
+                             AND 
+                             s.ProjectID IN ('$projectString')
+                            ) OR mu.UploadedBy='$username'
+                              OR s.CenterID IS NULL
+                              OR s.ProjectID IS NULL";
+
+            } else {
+                // site/project match + user's own uploads
+                $where = " WHERE 
+                            (s.CenterID IN ('$centerString') 
+                             AND 
+                             s.ProjectID IN ('$projectString')
+                            ) OR mu.UploadedBy='$username'";
+            }
+        }
+
         $this->_resetFilters();
         $progressSelectPart = "IF(ISNULL(Inserting), 'Not Started',"
             . "IF(Inserting=1, 'In Progress...', "
@@ -84,12 +119,14 @@ class Imaging_Uploader extends \NDB_Menu_Filter_Form
             's.Visit_label',
             'mu.IsPhantom',
         ];
-        $this->query        = " FROM mri_upload mu LEFT JOIN session".
-                              " s ON (s.ID = mu.SessionID)".
+        $this->query        = " FROM mri_upload mu".
+                              " LEFT JOIN session s ON (s.ID = mu.SessionID)".
                               " LEFT JOIN candidate c ON (c.CandID = s.CandID)".
                               " LEFT JOIN tarchive ta ON".
-                              " (mu.TarchiveID = ta.TarchiveID)".
-                              " WHERE 1=1 ";
+                              " (mu.TarchiveID = ta.TarchiveID)";
+        if ($siteprojectperms === 'true') {
+            $this->query .= $where;
+        }
         $this->formToFilter = [
             'CandID'      => 's.CandID',
             'PSCID'       => 'c.PSCID',