1. 29 Aug, 2019 1 commit
  2. 28 Aug, 2019 6 commits
  3. 27 Aug, 2019 2 commits
  4. 22 Aug, 2019 6 commits
    • Fokkema's avatar
      Merge pull request #392 from LOVDnl/fix/VLsecurity. · 702374d5
      Fokkema authored
      Several fixes in the security of ViewLists.
    • Fokkema's avatar
      Allow Curators to also download more ViewLists. · f07395f8
      Fokkema authored
      - Allow Curators to download the gene-specific Individuals view.
      - Now that we have code authorizing Curators for VLs on the Individual's VE, let Curators download the Screening and Variant VLs there.
      - Now that we have code authorizing Curators for the Variants VL on the Screenings VE, let Curators download it.
    • Fokkema's avatar
      Fixed bug; Screening ViewList on Individual VE was authorized for Curators, but the Ajax-VL wasn't. · c50552ea
      Fokkema authored
      - This means Curators couldn't search for non-public Screenings on the VL on this VE.
      - Now it loads the needed authorization.
    • Fokkema's avatar
      Fixed bug; Variant ViewLists on Individual and Screening VEs were authorized... · 224504cb
      Fokkema authored
      Fixed bug; Variant ViewLists on Individual and Screening VEs were authorized for Curators, but the Ajax-VL wasn't.
      - This means Curators can't search for non-public variants on the VL on either of these VEs.
      - Now it loads the needed authorization.
    • Fokkema's avatar
      Made it a bit harder for ViewLists to get their ColsToSkip overridden. · 30a38232
      Fokkema authored
      - Hiding columns for a VL is stored in session upon defining the VL. However, VLs can be loaded independently of being defined first, for the External Viewer.
      - To allow for the External Viewer to hide columns, VLs could be told to hide additional columns. However, this was overwriting the current list of hidden columns, allowing special requests that would columns previously hidden.
      - For the Users VL, which was opened up to Submitters due to the Colleagues feature, overwriting the ColsToSkip was prevented in the VL code specifically, to hide sensitive data.
      - Added a global solution that makes sure for other VLs the list doesn't get overwritten either, but merged instead. This prevents pre-defined VLs to lose their ColsToSkip using specially crafted requests.
      - However, as the External Viewer just loads undefined VLs, it can be configured to show all columns in these VLs. As such, if the ColsToSkip feature is ever used to hide sensitive data, these columns need to be defined in the VL code itself.
    • Fokkema's avatar
      Fixed security issue in loading the authorization for ViewLists. · 849fcb82
      Fokkema authored
      - During Find & Replace implementation, the code was changed to load the gene-specific authorization using $_REQUEST rather than $_GET. However, the filtering of the results was still using $_GET. Hence, authorizations can be loaded forging a $_POST request while not necessarily filtering the results using $_GET.
      - This allowed Curators to craft special requests to load VLs with non-public data of other genes.
      - Solved this by enforcing filtering when authorizing Curators.
  5. 21 Aug, 2019 3 commits
  6. 15 Aug, 2019 1 commit
  7. 13 Aug, 2019 1 commit
  8. 08 Aug, 2019 6 commits
  9. 07 Aug, 2019 3 commits
  10. 06 Aug, 2019 4 commits
  11. 05 Aug, 2019 1 commit
  12. 01 Aug, 2019 4 commits
  13. 31 Jul, 2019 2 commits
    • Fokkema's avatar
      Fixed some problems with the DOI view. · 8b3f01fd
      Fokkema authored
      - Pagination was off, but especially if you're searching by journal you need pagination.
      - Fixed the journal search; DOIs can also contain slashes and journal names can contain dots.
      - Cleaned up the code a bit.
    • Fokkema's avatar
      Merge pull request #383 from LOVDnl/fix/257 · 36183a2a
      Fokkema authored
      Allow for publisher and journal-specific queries using the DOI reference search.