1. 04 Sep, 2019 3 commits
    • Fokkema's avatar
    • Fokkema's avatar
    • Fokkema's avatar
      More fixes in the tests. · 46f3bd10
      Fokkema authored
      - Removed duplication in tests; there were three login tests that all did the same.
      - Removed duplication in tests; there were two IVA disease creation tests, and one created an additional disease. This is confusing and useless duplication of code; split these features.
      - When enabling the Individual/Gender column, the test wasn't checking if that was successful.
      - Fixed wrong variable name in install_LOVD.php script.
      - The screenshot uploader now also will dump the last lines of Apache's error log, which should contain PHP errors. This may confirm my theory that the tests are failing because PHP warnings due to a WIP commit have turned into fatal errors (perhaps because of xdebug that I can't seem to turn off?).
  2. 03 Sep, 2019 3 commits
  3. 29 Aug, 2019 10 commits
  4. 28 Aug, 2019 7 commits
  5. 27 Aug, 2019 2 commits
  6. 26 Aug, 2019 1 commit
    • Fokkema's avatar
      Fixed bug; When importing, LOVD could have used the wrong data for checking... · 6a7a40e8
      Fokkema authored
      Fixed bug; When importing, LOVD could have used the wrong data for checking the panelid, fatherid and motherid links.
      - Links to records in the file should take preference over links with database entries, instead of the other way around.
      - Links to the own ID aren't allowed, so stop throwing additional, confusing, error messages.
      - The panel size was checked only when the Individual/Gender column was active.
      - Also, checking for the Individual/Gender column happened once or twice per data row, instead of once per import.
  7. 22 Aug, 2019 6 commits
    • Fokkema's avatar
      Merge pull request #392 from LOVDnl/fix/VLsecurity. · 702374d5
      Fokkema authored
      Several fixes in the security of ViewLists.
    • Fokkema's avatar
      Allow Curators to also download more ViewLists. · f07395f8
      Fokkema authored
      - Allow Curators to download the gene-specific Individuals view.
      - Now that we have code authorizing Curators for VLs on the Individual's VE, let Curators download the Screening and Variant VLs there.
      - Now that we have code authorizing Curators for the Variants VL on the Screenings VE, let Curators download it.
    • Fokkema's avatar
      Fixed bug; Screening ViewList on Individual VE was authorized for Curators, but the Ajax-VL wasn't. · c50552ea
      Fokkema authored
      - This means Curators couldn't search for non-public Screenings on the VL on this VE.
      - Now it loads the needed authorization.
    • Fokkema's avatar
      Fixed bug; Variant ViewLists on Individual and Screening VEs were authorized... · 224504cb
      Fokkema authored
      Fixed bug; Variant ViewLists on Individual and Screening VEs were authorized for Curators, but the Ajax-VL wasn't.
      - This means Curators can't search for non-public variants on the VL on either of these VEs.
      - Now it loads the needed authorization.
    • Fokkema's avatar
      Made it a bit harder for ViewLists to get their ColsToSkip overridden. · 30a38232
      Fokkema authored
      - Hiding columns for a VL is stored in session upon defining the VL. However, VLs can be loaded independently of being defined first, for the External Viewer.
      - To allow for the External Viewer to hide columns, VLs could be told to hide additional columns. However, this was overwriting the current list of hidden columns, allowing special requests that would columns previously hidden.
      - For the Users VL, which was opened up to Submitters due to the Colleagues feature, overwriting the ColsToSkip was prevented in the VL code specifically, to hide sensitive data.
      - Added a global solution that makes sure for other VLs the list doesn't get overwritten either, but merged instead. This prevents pre-defined VLs to lose their ColsToSkip using specially crafted requests.
      - However, as the External Viewer just loads undefined VLs, it can be configured to show all columns in these VLs. As such, if the ColsToSkip feature is ever used to hide sensitive data, these columns need to be defined in the VL code itself.
    • Fokkema's avatar
      Fixed security issue in loading the authorization for ViewLists. · 849fcb82
      Fokkema authored
      - During Find & Replace implementation, the code was changed to load the gene-specific authorization using $_REQUEST rather than $_GET. However, the filtering of the results was still using $_GET. Hence, authorizations can be loaded forging a $_POST request while not necessarily filtering the results using $_GET.
      - This allowed Curators to craft special requests to load VLs with non-public data of other genes.
      - Solved this by enforcing filtering when authorizing Curators.
  8. 21 Aug, 2019 3 commits
  9. 15 Aug, 2019 1 commit
  10. 13 Aug, 2019 1 commit
  11. 08 Aug, 2019 3 commits