[Loris-dev] Error insert candidates api/v0.0.3/candidates
Xavier Lecours Boucher, Mr
xavier.lecoursboucher at mcgill.ca
Mon Jun 14 11:04:02 EDT 2021
Hi Alfredo,
There is a discrepancy between the frontend and the API way to determine which site the user have, which site to give the new candidate and if a user is allowed to create a candidate at a given site. Looking at the frontend code, I can't see any validation on the site other than the content of the html dropdown.
The API checks if the user has the given site.
Here is the API code<https://github.com/aces/Loris/blob/23.0-release/modules/api/php/endpoints/candidates.class.inc#L185>:
$usersites = $user->getSiteNames();
if (!in_array($data['Candidate']['Site'], $usersites)) {
return new \LORIS\Http\Response\JSON\Forbidden(
'You are not affiliated with the candidate`s site'
);
}
So, for debugging, can you add the following lines at https://github.com/aces/Loris/blob/23.0-release/modules/api/php/endpoints/candidates.class.inc#L184 , then tell me what it the response to your POST request ?
var_dump($user->getSiteNames(), $data['Candidate']['Site']);
exit;
Thank you
Xavier
<https://github.com/aces/Loris/blob/23.0-release/modules/api/php/endpoints/candidates.class.inc#L185>
________________________________
From: loris-dev-bounces at bic.mni.mcgill.ca <loris-dev-bounces at bic.mni.mcgill.ca> on behalf of Morales Pinzon, Alfredo <AMORALESPINZON at BWH.HARVARD.EDU>
Sent: June 10, 2021 6:43 PM
To: loris-dev at bic.mni.mcgill.ca <loris-dev at bic.mni.mcgill.ca>
Cc: Rozie Arnaoutelis, Ms. <rozie.arnaoutelis at mcgill.ca>; Sridar Narayanan, Dr. <sridar.narayanan at mcgill.ca>; Douglas Arnold, Dr. <douglas.arnold at mcgill.ca>; Guttmann, Charles, M.D. <guttmann at bwh.harvard.edu>
Subject: [Loris-dev] Error insert candidates api/v0.0.3/candidates
Dear LorisDev team,
I can create Candidates using the web interface using an admin account that is linked to all the project and all the sites in the system. However when I try to create a Candidate using the api api/v0.0.3/candidates I am getting the following error:
===
{
"error": "You are not affiliated with the candidate`s site"
}
===
I’m happy to run some queries in the database to figure out what’s happening. Any ideas?
Best,
Alfredo.
The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Mass General Brigham Compliance HelpLine at http://www.massgeneralbrigham.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.
Please note that this e-mail is not secure (encrypted). If you do not wish to continue communication over unencrypted e-mail, please notify the sender of this message immediately. Continuing to send or respond to e-mail after receiving this message means you understand and accept this risk and wish to continue to communicate over unencrypted e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20210614/934b98db/attachment.html>
More information about the Loris-dev
mailing list