1. 29 Aug, 2019 1 commit
  2. 28 Aug, 2019 6 commits
  3. 27 Aug, 2019 2 commits
  4. 22 Aug, 2019 6 commits
    • Ivo Fokkema's avatar
      Merge pull request #392 from LOVDnl/fix/VLsecurity. · 702374d5
      Ivo Fokkema authored
      Several fixes in the security of ViewLists.
    • Ivo Fokkema's avatar
      Allow Curators to also download more ViewLists. · f07395f8
      Ivo Fokkema authored
      - Allow Curators to download the gene-specific Individuals view.
      - Now that we have code authorizing Curators for VLs on the Individual's VE, let Curators download the Screening and Variant VLs there.
      - Now that we have code authorizing Curators for the Variants VL on the Screenings VE, let Curators download it.
    • Ivo Fokkema's avatar
      Fixed bug; Screening ViewList on Individual VE was authorized for Curators, but the Ajax-VL wasn't. · c50552ea
      Ivo Fokkema authored
      - This means Curators couldn't search for non-public Screenings on the VL on this VE.
      - Now it loads the needed authorization.
    • Ivo Fokkema's avatar
      Fixed bug; Variant ViewLists on Individual and Screening VEs were authorized... · 224504cb
      Ivo Fokkema authored
      Fixed bug; Variant ViewLists on Individual and Screening VEs were authorized for Curators, but the Ajax-VL wasn't.
      - This means Curators can't search for non-public variants on the VL on either of these VEs.
      - Now it loads the needed authorization.
    • Ivo Fokkema's avatar
      Made it a bit harder for ViewLists to get their ColsToSkip overridden. · 30a38232
      Ivo Fokkema authored
      - Hiding columns for a VL is stored in session upon defining the VL. However, VLs can be loaded independently of being defined first, for the External Viewer.
      - To allow for the External Viewer to hide columns, VLs could be told to hide additional columns. However, this was overwriting the current list of hidden columns, allowing special requests that would columns previously hidden.
      - For the Users VL, which was opened up to Submitters due to the Colleagues feature, overwriting the ColsToSkip was prevented in the VL code specifically, to hide sensitive data.
      - Added a global solution that makes sure for other VLs the list doesn't get overwritten either, but merged instead. This prevents pre-defined VLs to lose their ColsToSkip using specially crafted requests.
      - However, as the External Viewer just loads undefined VLs, it can be configured to show all columns in these VLs. As such, if the ColsToSkip feature is ever used to hide sensitive data, these columns need to be defined in the VL code itself.
    • Ivo Fokkema's avatar
      Fixed security issue in loading the authorization for ViewLists. · 849fcb82
      Ivo Fokkema authored
      - During Find & Replace implementation, the code was changed to load the gene-specific authorization using $_REQUEST rather than $_GET. However, the filtering of the results was still using $_GET. Hence, authorizations can be loaded forging a $_POST request while not necessarily filtering the results using $_GET.
      - This allowed Curators to craft special requests to load VLs with non-public data of other genes.
      - Solved this by enforcing filtering when authorizing Curators.
  5. 21 Aug, 2019 3 commits
  6. 15 Aug, 2019 1 commit
  7. 13 Aug, 2019 1 commit
  8. 08 Aug, 2019 6 commits
  9. 07 Aug, 2019 3 commits
  10. 06 Aug, 2019 4 commits
  11. 05 Aug, 2019 1 commit
  12. 01 Aug, 2019 4 commits
  13. 31 Jul, 2019 2 commits