[Loris-dev] 403 Unauthorized when trying to use imaging_browser
Paul Novak
pnovak2 at uoregon.edu
Mon Jul 27 16:33:05 EDT 2020
In the user_accounts module only one project is listed (it is some project named “loris” that I don’t recall creating) and it is selected already. No other projects are listed, so I think that is another bug. How can a user change project associations if the list of projects is incomplete? See attached screenshot.
How can I give this user access to ProjectID 2? I couldn’t find documentation on how to modify user_project_rel table, and I do not know what SQL command exactly needs to be issued. I don’t know if that is the only modification that needs to be done.
Paul
From: Dave MacFarlane <dave.macfarlane at mcin.ca>
Date: Monday, July 27, 2020 at 11:00 AM
To: Paul Novak <pnovak2 at uoregon.edu>
Cc: Cecile Madjar <cecile.madjar at mcin.ca>, "loris-dev at bic.mni.mcgill.ca" <loris-dev at bic.mni.mcgill.ca>
Subject: Re: [Loris-dev] 403 Unauthorized when trying to use imaging_browser
That seems to be the cause of the problem, your user isn't affiliated with Project 2. Cecile's first hunch was right, but it's using the candidate's registration project, not the session. I think there's 2 issues:
1. I don't know why it's checking the candidate's registrationProjectID and not the session's projectID. This is a bug that we should fix in LORIS.
2. Your admin user should probably have access to ProjectID 2. You can adjust the project affiliations either in the user_accounts module or in the
backend, if they are indeed supposed to be affiliated with that project.
On Mon, Jul 27, 2020 at 1:44 PM Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>> wrote:
The result of that query is:
SELECT c.RegistrationProjectID from candidate c JOIN session s USING (CandID) WHERE s.ID=2;
+-----------------------+
| RegistrationProjectID |
+-----------------------+
| 2 |
+-----------------------+
Paul
From: Dave MacFarlane <dave.macfarlane at mcin.ca<mailto:dave.macfarlane at mcin.ca>>
Date: Monday, July 27, 2020 at 10:41 AM
To: Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>>
Cc: Cecile Madjar <cecile.madjar at mcin.ca<mailto:cecile.madjar at mcin.ca>>, "loris-dev at bic.mni.mcgill.ca<mailto:loris-dev at bic.mni.mcgill.ca>" <loris-dev at bic.mni.mcgill.ca<mailto:loris-dev at bic.mni.mcgill.ca>>
Subject: Re: [Loris-dev] 403 Unauthorized when trying to use imaging_browser
I was trying to determine which code path the hasAccess function is going down to trace through the code manually, but I was mistaken about the project. The access function seems to use the candidate's registration project, not the session's project.
Based on it being 'Human' and the user having 'imaging_browser_view_allsites' it's still possible for the $user->hasProject check (which is enforced regardless of the
site permission) to fail.
Can you check the candidate's RegistrationProjectID? SELECT c.RegistrationProjectID from candidate c JOIN session s USING (CandID) WHERE s.ID=2
On Mon, Jul 27, 2020 at 1:21 PM Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>> wrote:
I am not able to edit as suggested.
For the other checks:
1. Human
2. ProjectID = 1, CenterID = 2
3. The user with userID 1 has permissions [1,20] [22,25], [28,65]. Put another way, the user has all permissions from 1 to 65, except the user does not have permissions with IDs 21, 26 or 27. The missing permissions appear to not exist (from permissions table).
4. User with userID 1 has CenterID 1 and 2, from table user_psc_rel.
5. Yes.
I am guessing that you are trying to determine if the user has the site that the session is associated with, which it appears to be, and if the user has permissions to use imaging_browser, which I think it does. Following the module documentation: https://github.com/aces/Loris/tree/main/modules/imaging_browser<https://urldefense.com/v3/__https:/github.com/aces/Loris/tree/main/modules/imaging_browser__;!!C5qS4YX3!VrcBLT8Jq9zDw4cTtp1WcF0RDpwQZKmf65G7SB88Qh-kK54-9JUASHCPaVzoY5LroS4$>, this user has permissions:
imaging_browser_view_allsites (View all-sites Imaging Browser pages
imaging_browser_view_site (View own-site Imaging Browser pages)
imaging_browser_phantom_allsites (Can access only phantom data from all sites in Imaging Browser
imaging_browser_phantom_ownsite (Can access only phantom data from own site in Imaging Browser
imaging_browser_qc (Edit imaging browser QC status)
Paul
From: Dave MacFarlane <dave.macfarlane at mcin.ca<mailto:dave.macfarlane at mcin.ca>>
Date: Monday, July 27, 2020 at 9:58 AM
To: Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>>
Cc: Cecile Madjar <cecile.madjar at mcin.ca<mailto:cecile.madjar at mcin.ca>>, "loris-dev at bic.mni.mcgill.ca<mailto:loris-dev at bic.mni.mcgill.ca>" <loris-dev at bic.mni.mcgill.ca<mailto:loris-dev at bic.mni.mcgill.ca>>
Subject: Re: [Loris-dev] 403 Unauthorized when trying to use imaging_browser
Hi Paul,
The permissions for the imaging_browser are fairly complex because of the interactions between all site/own site/project/entity type permissions.
If it's not production and you can modify the code, it might help to add error_log statements (which will print to your apache error log) in the function _hasAccess
in modules/imaging_browser/php/viewsession.class.inc in order to narrow down exactly part of the criteria is causing it to return false.
If you can't add debug statements, can you check:
1. Is the candidate a Human or Scanner entity type? (The query select Entity_type FROM session JOIN candidate USING (CandID) Where session.ID=2 will tell you)
2. What is the project and site of the session? (SELECT ProjectID, CenterID FROM session WHERE ID=2)
3. What permissions does the user have in user_perm_rel? (The ones required will vary based on the results of the above queries)
4. What sites does the user have in user_psc_rel?
5. Are you sure that the user ID of the user is "1" (since that was the only user_project_rel permission result in your query..)?
On Mon, Jul 27, 2020 at 12:19 PM Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>> wrote:
I don’t understand what is meant by recent. This is a new installation using a released version.
There is a single project and a single user. The entire contents of user_project_rel are:
select * from user_project_rel;
+--------+-----------+
| UserID | ProjectID |
+--------+-----------+
| 1 | 1 |
+--------+-----------+
Paul
From: Cecile Madjar <cecile.madjar at mcin.ca<mailto:cecile.madjar at mcin.ca>>
Date: Monday, July 27, 2020 at 9:01 AM
To: Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>>
Cc: "loris-dev at bic.mni.mcgill.ca<mailto:loris-dev at bic.mni.mcgill.ca>" <loris-dev at bic.mni.mcgill.ca<mailto:loris-dev at bic.mni.mcgill.ca>>
Subject: Re: [Loris-dev] 403 Unauthorized when trying to use imaging_browser
Hello Paul,
does your admin user have access to all projects in the table user_project_rel?
In order for the user to see that page, it needs to have access to the project of the sessions. We recently added the project layer to LORIS so my guess would be that your admin user does not have the project of that session listed in his associated project in user_project_rel.
Hope this helps,
Cécile
On Mon, Jul 27, 2020 at 11:45 AM Paul Novak <pnovak2 at uoregon.edu<mailto:pnovak2 at uoregon.edu>> wrote:
Hello,
After uploading images using the imaging_uploader module, I am trying to view the images through the imaging browser (imaging_browser/viewSession/?sessionID=2). However, that page always returns 403 Unauthorized and displays a standard “You do not have access to this page” page. I am currently logged in as an admin user to LORIS and the list of permissions have all the permissions for imaging_browser module selected or enabled. The loris-error.log in /var/log/apache2/ doesn’t have any errors at the time I am trying to access this module. I am using LORIS 23.0.1.
How can I view the images? What can I do to further troubleshoot this problem?
Paul
_______________________________________________
Loris-dev mailing list
Loris-dev at bic.mni.mcgill.ca<mailto:Loris-dev at bic.mni.mcgill.ca>
https://mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev<https://urldefense.com/v3/__https:/mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev__;!!C5qS4YX3!RaUzKf_Ejz14svGcpy9OTpb33FxMa3Q_EYqoakIc0ZWCERS9DVPy5AAlZpVsQM0YeUQ$>
_______________________________________________
Loris-dev mailing list
Loris-dev at bic.mni.mcgill.ca<mailto:Loris-dev at bic.mni.mcgill.ca>
https://mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev<https://urldefense.com/v3/__https:/mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev__;!!C5qS4YX3!VlUQsuvElQeJl7SvZ5k1KYoB45nhq6LbALY-SXFa_kZsVkt1i7sRv0_Ougf72vFJDjs$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20200727/b29a4c19/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2020-07-27 at 1.23.57 PM.png
Type: image/png
Size: 15398 bytes
Desc: Screen Shot 2020-07-27 at 1.23.57 PM.png
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20200727/b29a4c19/attachment-0001.png>
More information about the Loris-dev
mailing list