[Loris-dev] Error insert candidates api/v0.0.3/candidates

Xavier Lecours Boucher, Mr xavier.lecoursboucher at mcgill.ca
Mon Jun 14 11:04:02 EDT 2021 

Hi Alfredo,

There is a discrepancy between the frontend and the API way to determine which site the user have, which site to give the new candidate and if a user is allowed to create a candidate at a given site. Looking at the frontend code, I can't see any validation on the site other than the content of the html dropdown.

The API checks if the user has the given site.

Here is the API code<https://github.com/aces/Loris/blob/23.0-release/modules/api/php/endpoints/candidates.class.inc#L185>:
$usersites = $user->getSiteNames();
if (!in_array($data['Candidate']['Site'], $usersites)) {
    return new \LORIS\Http\Response\JSON\Forbidden(
        'You are not affiliated with the candidate`s site'
    );
}
So, for debugging, can you add the following lines at https://github.com/aces/Loris/blob/23.0-release/modules/api/php/endpoints/candidates.class.inc#L184 , then tell me what it the response to your POST request ?

var_dump($user->getSiteNames(), $data['Candidate']['Site']);
exit;
Thank you
Xavier


<https://github.com/aces/Loris/blob/23.0-release/modules/api/php/endpoints/candidates.class.inc#L185>




________________________________
From: loris-dev-bounces at bic.mni.mcgill.ca <loris-dev-bounces at bic.mni.mcgill.ca> on behalf of Morales Pinzon, Alfredo <AMORALESPINZON at BWH.HARVARD.EDU>
Sent: June 10, 2021 6:43 PM
To: loris-dev at bic.mni.mcgill.ca <loris-dev at bic.mni.mcgill.ca>
Cc: Rozie Arnaoutelis, Ms. <rozie.arnaoutelis at mcgill.ca>; Sridar Narayanan, Dr. <sridar.narayanan at mcgill.ca>; Douglas Arnold, Dr. <douglas.arnold at mcgill.ca>; Guttmann, Charles, M.D. <guttmann at bwh.harvard.edu>
Subject: [Loris-dev] Error insert candidates api/v0.0.3/candidates

Dear LorisDev team,

I can create Candidates using the web interface using an admin account that is linked to all the project and all the sites in the system. However when I try to create a Candidate using the api api/v0.0.3/candidates I am getting the following error:

===
{
"error": "You are not affiliated with the candidate`s site"
}
===

I’m happy to run some queries in the database to figure out what’s happening. Any ideas?

Best,
Alfredo.
The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Mass General Brigham Compliance HelpLine at http://www.massgeneralbrigham.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.


Please note that this e-mail is not secure (encrypted).  If you do not wish to continue communication over unencrypted e-mail, please notify the sender of this message immediately.  Continuing to send or respond to e-mail after receiving this message means you understand and accept this risk and wish to continue to communicate over unencrypted e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20210614/934b98db/attachment.html>

More information about the Loris-dev mailing list