[Loris-dev] 403 Unauthorized when trying to use imaging_browser

Paul Novak pnovak2 at uoregon.edu
Mon Jul 27 13:21:45 EDT 2020 

I am not able to edit as suggested.

For the other checks:

  1.  Human
  2.  ProjectID = 1, CenterID = 2
  3.  The user with userID 1 has permissions [1,20] [22,25], [28,65]. Put another way, the user has all permissions from 1 to 65, except the user does not have permissions with IDs 21, 26 or 27. The missing permissions appear to not exist (from permissions table).
  4.  User with userID 1 has CenterID 1 and 2, from table user_psc_rel.
  5.  Yes.

I am guessing that you are trying to determine if the user has the site that the session is associated with, which it appears to be, and if the user has permissions to use imaging_browser, which I think it does. Following the module documentation: https://github.com/aces/Loris/tree/main/modules/imaging_browser, this user has permissions:

imaging_browser_view_allsites (View all-sites Imaging Browser pages
imaging_browser_view_site (View own-site Imaging Browser pages)
imaging_browser_phantom_allsites (Can access only phantom data from all sites in Imaging Browser
imaging_browser_phantom_ownsite (Can access only phantom data from own site in Imaging Browser
imaging_browser_qc (Edit imaging browser QC status)
Paul

From: Dave MacFarlane <dave.macfarlane at mcin.ca>
Date: Monday, July 27, 2020 at 9:58 AM
To: Paul Novak <pnovak2 at uoregon.edu>
Cc: Cecile Madjar <cecile.madjar at mcin.ca>, "loris-dev at bic.mni.mcgill.ca" <loris-dev at bic.mni.mcgill.ca>
Subject: Re: [Loris-dev] 403 Unauthorized when trying to use imaging_browser

Hi Paul,

The permissions for the imaging_browser are fairly complex because of the interactions between all site/own site/project/entity type permissions.

If it's not production and you can modify the code, it might help to add error_log statements (which will print to your apache error log) in the function _hasAccess
in modules/imaging_browser/php/viewsession.class.inc in order to narrow down exactly part of the criteria is causing it to return false.

If you can't add debug statements, can you check:

1. Is the candidate a Human or Scanner entity type? (The query select Entity_type FROM session JOIN candidate USING (CandID) Where session.ID=2 will tell you)
2. What is the project and site of the session? (SELECT ProjectID, CenterID FROM session WHERE ID=2)
3. What permissions does the user have in user_perm_rel? (The ones required will vary based on the results of the above queries)
4. What sites does the user have in user_psc_rel?
5. Are you sure that the user ID of the user is "1" (since that was the only user_project_rel permission result in your query..)?

On Mon, Jul 27, 2020 at 12:19 PM Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>> wrote:
I don’t understand what is meant by recent. This is a new installation using a released version.

There is a single project and a single user.  The entire contents of user_project_rel are:

select * from user_project_rel;
+--------+-----------+
| UserID | ProjectID |
+--------+-----------+
|      1 |         1 |
+--------+-----------+

Paul

From: Cecile Madjar <cecile.madjar at mcin.ca<mailto:cecile.madjar at mcin.ca>>
Date: Monday, July 27, 2020 at 9:01 AM
To: Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>>
Cc: "loris-dev at bic.mni.mcgill.ca<mailto:loris-dev at bic.mni.mcgill.ca>" <loris-dev at bic.mni.mcgill.ca<mailto:loris-dev at bic.mni.mcgill.ca>>
Subject: Re: [Loris-dev] 403 Unauthorized when trying to use imaging_browser

Hello Paul,

does your admin user have access to all projects in the table user_project_rel?

In order for the user to see that page, it needs to have access to the project of the sessions. We recently added the project layer to LORIS so my guess would be that your admin user does not have the project of that session listed in his associated project in user_project_rel.

Hope this helps,

Cécile

On Mon, Jul 27, 2020 at 11:45 AM Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>> wrote:
Hello,

After uploading images using the imaging_uploader module, I am trying to view the images through the imaging browser (imaging_browser/viewSession/?sessionID=2). However, that page always returns 403 Unauthorized and displays a standard “You do not have access to this page” page. I am currently logged in as an admin user to LORIS and the list of permissions have all the permissions for imaging_browser module selected or enabled. The loris-error.log in /var/log/apache2/ doesn’t have any errors at the time I am trying to access this module. I am using LORIS 23.0.1.

How can I view the images? What can I do to further troubleshoot this problem?

Paul

_______________________________________________
Loris-dev mailing list
Loris-dev at bic.mni.mcgill.ca<mailto:Loris-dev at bic.mni.mcgill.ca>
https://mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev<https://urldefense.com/v3/__https:/mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev__;!!C5qS4YX3!RaUzKf_Ejz14svGcpy9OTpb33FxMa3Q_EYqoakIc0ZWCERS9DVPy5AAlZpVsQM0YeUQ$>
_______________________________________________
Loris-dev mailing list
Loris-dev at bic.mni.mcgill.ca<mailto:Loris-dev at bic.mni.mcgill.ca>
https://mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev<https://urldefense.com/v3/__https:/mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev__;!!C5qS4YX3!VlUQsuvElQeJl7SvZ5k1KYoB45nhq6LbALY-SXFa_kZsVkt1i7sRv0_Ougf72vFJDjs$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20200727/83e70ed7/attachment-0001.html>

More information about the Loris-dev mailing list