[Loris-dev] 403 Unauthorized when trying to use imaging_browser
Dave MacFarlane
dave.macfarlane at mcin.ca
Mon Jul 27 14:00:20 EDT 2020
That seems to be the cause of the problem, your user isn't affiliated with
Project 2. Cecile's first hunch was right, but it's using the candidate's
registration project, not the session. I think there's 2 issues:
1. I don't know why it's checking the candidate's registrationProjectID and
not the session's projectID. This is a bug that we should fix in LORIS.
2. Your admin user should probably have access to ProjectID 2. You can
adjust the project affiliations either in the user_accounts module or in the
backend, if they are indeed supposed to be affiliated with that project.
On Mon, Jul 27, 2020 at 1:44 PM Paul Novak <pnovak2 at uoregon.edu> wrote:
> The result of that query is:
>
>
>
> SELECT c.RegistrationProjectID from candidate c JOIN session s USING
> (CandID) WHERE s.ID=2;
>
> +-----------------------+
>
> | RegistrationProjectID |
>
> +-----------------------+
>
> | 2 |
>
> +-----------------------+
>
>
>
> Paul
>
>
>
> *From: *Dave MacFarlane <dave.macfarlane at mcin.ca>
> *Date: *Monday, July 27, 2020 at 10:41 AM
> *To: *Paul Novak <pnovak2 at uoregon.edu>
> *Cc: *Cecile Madjar <cecile.madjar at mcin.ca>, "loris-dev at bic.mni.mcgill.ca"
> <loris-dev at bic.mni.mcgill.ca>
> *Subject: *Re: [Loris-dev] 403 Unauthorized when trying to use
> imaging_browser
>
>
>
> I was trying to determine which code path the hasAccess function is going
> down to trace through the code manually, but I was mistaken about the
> project. The access function seems to use the candidate's registration
> project, not the session's project.
>
>
>
> Based on it being 'Human' and the user having
> 'imaging_browser_view_allsites' it's still possible for the
> $user->hasProject check (which is enforced regardless of the
>
> site permission) to fail.
>
>
>
> Can you check the candidate's RegistrationProjectID? SELECT
> c.RegistrationProjectID from candidate c JOIN session s USING (CandID)
> WHERE s.ID=2
>
>
>
> On Mon, Jul 27, 2020 at 1:21 PM Paul Novak <pnovak2 at uoregon.edu> wrote:
>
> I am not able to edit as suggested.
>
>
>
> For the other checks:
>
> 1. Human
> 2. ProjectID = 1, CenterID = 2
> 3. The user with userID 1 has permissions [1,20] [22,25], [28,65]. Put
> another way, the user has all permissions from 1 to 65, except the user
> does not have permissions with IDs 21, 26 or 27. The missing permissions
> appear to not exist (from permissions table).
> 4. User with userID 1 has CenterID 1 and 2, from table user_psc_rel.
> 5. Yes.
>
>
>
> I am guessing that you are trying to determine if the user has the site
> that the session is associated with, which it appears to be, and if the
> user has permissions to use imaging_browser, which I think it does.
> Following the module documentation:
> https://github.com/aces/Loris/tree/main/modules/imaging_browser
> <https://urldefense.com/v3/__https:/github.com/aces/Loris/tree/main/modules/imaging_browser__;!!C5qS4YX3!VrcBLT8Jq9zDw4cTtp1WcF0RDpwQZKmf65G7SB88Qh-kK54-9JUASHCPaVzoY5LroS4$>,
> this user has permissions:
>
> imaging_browser_view_allsites (View all-sites Imaging Browser pages
> imaging_browser_view_site (View own-site Imaging Browser pages)
> imaging_browser_phantom_allsites (Can access only phantom data from all
> sites in Imaging Browser
> imaging_browser_phantom_ownsite (Can access only phantom data from own
> site in Imaging Browser
> imaging_browser_qc (Edit imaging browser QC status)
>
> Paul
>
>
>
> *From: *Dave MacFarlane <dave.macfarlane at mcin.ca>
> *Date: *Monday, July 27, 2020 at 9:58 AM
> *To: *Paul Novak <pnovak2 at uoregon.edu>
> *Cc: *Cecile Madjar <cecile.madjar at mcin.ca>, "loris-dev at bic.mni.mcgill.ca"
> <loris-dev at bic.mni.mcgill.ca>
> *Subject: *Re: [Loris-dev] 403 Unauthorized when trying to use
> imaging_browser
>
>
>
> Hi Paul,
>
>
>
> The permissions for the imaging_browser are fairly complex because of the
> interactions between all site/own site/project/entity type permissions.
>
>
>
> If it's not production and you can modify the code, it might help to add
> error_log statements (which will print to your apache error log) in the
> function _hasAccess
>
> in modules/imaging_browser/php/viewsession.class.inc in order to narrow
> down exactly part of the criteria is causing it to return false.
>
>
>
> If you can't add debug statements, can you check:
>
>
>
> 1. Is the candidate a Human or Scanner entity type? (The query select
> Entity_type FROM session JOIN candidate USING (CandID) Where session.ID=2
> will tell you)
>
> 2. What is the project and site of the session? (SELECT ProjectID,
> CenterID FROM session WHERE ID=2)
>
> 3. What permissions does the user have in user_perm_rel? (The ones
> required will vary based on the results of the above queries)
>
> 4. What sites does the user have in user_psc_rel?
>
> 5. Are you sure that the user ID of the user is "1" (since that was the
> only user_project_rel permission result in your query..)?
>
>
>
> On Mon, Jul 27, 2020 at 12:19 PM Paul Novak <pnovak2 at uoregon.edu> wrote:
>
> I don’t understand what is meant by recent. This is a new installation
> using a released version.
>
>
>
> There is a single project and a single user. The entire contents of
> user_project_rel are:
>
>
>
> select * from user_project_rel;
>
> +--------+-----------+
>
> | UserID | ProjectID |
>
> +--------+-----------+
>
> | 1 | 1 |
>
> +--------+-----------+
>
>
>
> Paul
>
>
>
> *From: *Cecile Madjar <cecile.madjar at mcin.ca>
> *Date: *Monday, July 27, 2020 at 9:01 AM
> *To: *Paul Novak <pnovak2 at uoregon.edu>
> *Cc: *"loris-dev at bic.mni.mcgill.ca" <loris-dev at bic.mni.mcgill.ca>
> *Subject: *Re: [Loris-dev] 403 Unauthorized when trying to use
> imaging_browser
>
>
>
> Hello Paul,
>
>
>
> does your admin user have access to all projects in the table
> user_project_rel?
>
>
>
> In order for the user to see that page, it needs to have access to the
> project of the sessions. We recently added the project layer to LORIS so my
> guess would be that your admin user does not have the project of that
> session listed in his associated project in user_project_rel.
>
>
>
> Hope this helps,
>
>
>
> Cécile
>
>
>
> On Mon, Jul 27, 2020 at 11:45 AM Paul Novak <pnovak2 at uoregon.edu> wrote:
>
> Hello,
>
>
>
> After uploading images using the imaging_uploader module, I am trying to
> view the images through the imaging browser
> (imaging_browser/viewSession/?sessionID=2). However, that page always
> returns 403 Unauthorized and displays a standard “You do not have access to
> this page” page. I am currently logged in as an admin user to LORIS and the
> list of permissions have all the permissions for imaging_browser module
> selected or enabled. The loris-error.log in /var/log/apache2/ doesn’t have
> any errors at the time I am trying to access this module. I am using LORIS
> 23.0.1.
>
>
>
> How can I view the images? What can I do to further troubleshoot this
> problem?
>
>
>
> Paul
>
>
>
> _______________________________________________
> Loris-dev mailing list
> Loris-dev at bic.mni.mcgill.ca
> https://mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev
> <https://urldefense.com/v3/__https:/mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev__;!!C5qS4YX3!RaUzKf_Ejz14svGcpy9OTpb33FxMa3Q_EYqoakIc0ZWCERS9DVPy5AAlZpVsQM0YeUQ$>
>
> _______________________________________________
> Loris-dev mailing list
> Loris-dev at bic.mni.mcgill.ca
> https://mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev
> <https://urldefense.com/v3/__https:/mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev__;!!C5qS4YX3!VlUQsuvElQeJl7SvZ5k1KYoB45nhq6LbALY-SXFa_kZsVkt1i7sRv0_Ougf72vFJDjs$>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20200727/e9505649/attachment.html>
More information about the Loris-dev
mailing list