From 40afcfcfa2abd117dac2dec0aa9c456f3a599410 Mon Sep 17 00:00:00 2001 From: Simon Pelletier Date: Tue, 25 Aug 2020 15:07:15 -0400 Subject: [PATCH] [API] Adding checkign user permission --- .../php/endpoints/project/dicoms.class.inc | 34 +++++++++++++++---- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/modules/api/php/endpoints/project/dicoms.class.inc b/modules/api/php/endpoints/project/dicoms.class.inc index 9069450ddce..f4b489384a6 100644 --- a/modules/api/php/endpoints/project/dicoms.class.inc +++ b/modules/api/php/endpoints/project/dicoms.class.inc @@ -38,6 +38,24 @@ class Dicoms extends Endpoint implements \LORIS\Middleware\ETagCalculator */ private $_project; + /** + * Permission checks + * + * @param \User $user The requesting user + * + * @return boolean true if access is permitted + */ + private function _hasAccess(\User $user) + { + return ( + $user->hasPermission('dicom_archive_view_allsites') || + ( + $user->hasStudySite() + && $user->hasPermission('dicom_archive_view_allsites') + ) + ); + } + /** * Contructor * @@ -78,6 +96,15 @@ class Dicoms extends Endpoint implements \LORIS\Middleware\ETagCalculator */ public function handle(ServerRequestInterface $request) : ResponseInterface { + $user = $request->getAttribute('user'); + if ($user instanceof \LORIS\AnonymousUser) { + return new \LORIS\Http\Response\JSON\Unauthorized(); + } + + if (!$this->_hasAccess($user)) { + return new \LORIS\Http\Response\JSON\Forbidden(); + } + $pathparts = $request->getAttribute('pathparts'); if (count($pathparts) !== 0) { return new \LORIS\Http\Response\JSON\NotFound(); @@ -125,12 +152,7 @@ class Dicoms extends Endpoint implements \LORIS\Middleware\ETagCalculator '\LORIS\api\Models\ProjectDicomsObject' ); - $all = $provisioner->getAllInstances(); - - $dicoms = []; - foreach ($all as $value) { - array_push($dicoms, $value); - } + $dicoms = iterator_to_array($provisioner->getAllInstances()); $this->_cache = new \LORIS\Http\Response\JsonResponse( ['Dicoms' => $dicoms]