search

aces / Loris

LORIS is a web-accessible database solution for longitudinal multi-site studies.
GNU General Public License v3.0
145 stars 173 forks source link

[EEG Browser] User can access individual sessions for projects they are not involed in #6558

Closed h-karim closed 4 years ago

h-karim commented 4 years ago

Context Fails step A.2 of the test plan. Related to #6618

Describe the bug A user can access individual sessions for a project that the user has not been assigned to if the user has a url from the 'raw' or 'all types' links or logically deduces the url.

To Reproduce

Steps to reproduce the behavior on the testing VM:

  1. Using an admin user, create a user foo with the following permission:

    View all-sites Electrophysiology Browser pages

  2. Assign the user project "pumpernickel" and site "Ottawa"
  3. Navigate to the EEG Browser module front page using foo
  4. Notice data for pumpernickel is displayed, copy either the "all types" or "raw" link from one of the rows to your clipboard, (e.g this link: https://test-loris-dev.loris.ca/electrophysiology_browser/sessions/167 )
  5. Using an admin account, change foo's project assignment to any other project, make sure to exclude "pumpernickel"
  6. Switch back to foo
  7. Notice the module front page does not show any data (on testing vm)
  8. paste the copied url
  9. Notice foo is able to access the individual session, despite not being assigned the pumpernickel project, and is now able to click on "next" and "Previous" to access all the data for project pumpernickel. What did you expect to happen? For the user to have been denied access to the individual session when the user is not assigned the project covering the particular session

Browser Environment (please complete the following information):

Server Environment (if known): This was done using the testing VM for loris

christinerogers commented 4 years ago

Hi @h-karim : is it fair to summarize this paragraph

For example, if user foo is granted permission to view all-sites EEG pages, but is not assigned project "pumpernickel", data with value "pumpernickel" under the "project" column will not load for foo on the EEG Browser main page. If foo however clicks on this link (which is a link for a session done under project "pumpernickel" for the testing VM), the session page will load properly for foo.

as: UserA does is not affiliated to project pumpernickel, but can still see pumpernickel data if they click on a visit that is affiliated to pumpernickel and visible in the main data table.

There's something about your issue where it's not clear whether you're saying the project permissions aren't working as they should.

h-karim commented 4 years ago

if UserA has been granted permission to view all sites, UserA still cannot see pumpernickel data on the front page if pumpernickel is not assigned to UserA, however UserA can still access raw/all types URLs for pumpernickel sessions if UserA happens to have one. I am not sure whether the desirable behaviour is for UserA to not be able to access pumpernickel sessions, or for userA to be able to view pumpernickel data on the module front page.

h-karim commented 4 years ago

@christinerogers I've edited the issue description to better clarify the underlying issue, let me know if there's anything more to tweak.

christinerogers commented 4 years ago

try getting the title down to one line. start by shortening to [EEG Browser]

johnsaigle commented 4 years ago

@ridz1208 Can you comment on whether this is expected behaviour?

My assumption is that a user should only see data corresponding to the intersection of sites and projects. So if I am a user with ONLY access to Site Montreal and Project ProjectA, then I should see ONLY data associated with Project A AND Site Montreal.

However, another interpretation is that an "access all sites" permission really does mean all sites and overrides Project limitations.

Which behaviour is intended?

h-karim commented 4 years ago

@johnsaigle I want to note the reason why I mentioned to grant the user "all sites" permission here is because of #6557 , making it impossible for now to test the scenario where the user is granted "view own site" permission and is affiliated with the correct site but not the individual project. However with the imaging module (#6618), the user can still access data from projects the user is not affiliated with, but is site affiliated with, if the user is given the "view own site" permission. So I don't think it's particularly related to the "view all sites" permission.

johnsaigle commented 4 years ago

Thanks for clarifying, that's helpful. So Project filtering is basically broken for these two modules.

christinerogers commented 4 years ago

Thanks for clarifying, that's helpful. So Project filtering is basically broken for these two modules.

Project permissions/controls wer never added for (non-reactified) subpages for all modules that should now have Project permissions added.

johnsaigle commented 4 years ago

Fair enough. It's probably more accurate right now to say we have "Project filtering" rather than "Project permissions" in general.

AlexandraLivadas commented 4 years ago

This was resolved after the merging of PR #6640