Unverified Commit 702374d5 authored by Ivo Fokkema's avatar Ivo Fokkema Committed by GitHub

Merge pull request #392 from LOVDnl/fix/VLsecurity.

Several fixes in the security of ViewLists.
parents 12c79177 f07395f8
......@@ -4,10 +4,10 @@
* LEIDEN OPEN VARIATION DATABASE (LOVD)
*
* Created : 2010-02-18
* Modified : 2018-08-09
* Modified : 2018-08-22
* For LOVD : 3.0-22
*
* Copyright : 2004-2018 Leiden University Medical Center; http://www.LUMC.nl/
* Copyright : 2004-2019 Leiden University Medical Center; http://www.LUMC.nl/
* Programmers : Ivo F.A.C. Fokkema <I.F.A.C.Fokkema@LUMC.nl>
* Ivar C. Lugtenburg <I.C.Lugtenburg@LUMC.nl>
* Daan Asscheman <D.Asscheman@LUMC.nl>
......@@ -97,22 +97,57 @@ if ($_AUTH['level'] < LEVEL_MANAGER && (!empty($_AUTH['curates']) || !empty($_AU
lovd_isAuthorized('gene', $_AUTH['curates']); // Any gene will do.
} elseif ($sObject == 'Individual' && isset($_REQUEST['search_genes_searched']) && preg_match('/^="([^"]+)"$/', $_REQUEST['search_genes_searched'], $aRegs)) {
lovd_isAuthorized('gene', $aRegs[1]); // Authorize for the gene currently searched (it currently restricts the view).
// Since we're authorizing on $_REQUEST which also contains $_POST data, make sure the $_GET (what we actually filter on) matches what we authorize on!!!
$_GET['search_genes_searched'] = $_REQUEST['search_genes_searched'];
} elseif ($sObject == 'Transcript' && isset($_REQUEST['search_geneid']) && preg_match('/^="([^"]+)"$/', $_REQUEST['search_geneid'], $aRegs)) {
lovd_isAuthorized('gene', $aRegs[1]); // Authorize for the gene currently searched (it currently restricts the view).
// Since we're authorizing on $_REQUEST which also contains $_POST data, make sure the $_GET (what we actually filter on) matches what we authorize on!!!
$_GET['search_geneid'] = $_REQUEST['search_geneid'];
} elseif ($sObject == 'Shared_Column' && isset($_REQUEST['object_id'])) {
lovd_isAuthorized('gene', $sObjectID); // Authorize for the gene currently loaded.
} elseif ($sObject == 'Custom_ViewList' && isset($_REQUEST['id'])) {
} elseif ($sObject == 'Screening' && $sViewListID == 'Screenings_for_I_VE' && isset($_REQUEST['search_individualid']) && ctype_digit($_REQUEST['search_individualid'])) {
// Screenings_for_I_VE has no ID but authorizes on search_individualid.
lovd_isAuthorized('individual', $_REQUEST['search_individualid']); // Authorize for the Screening(s) currently searched (it restricts the view).
// Since we're authorizing on $_REQUEST which also contains $_POST data, make sure the $_GET (what we actually filter on) matches what we authorize on!!!
$_GET['search_individualid'] = $_REQUEST['search_individualid'];
} elseif ($sObject == 'Custom_ViewList') {
// 2013-06-28; 3.0-06; We can't just authorize users based on the given ID without actually checking the shown objects and checking if the search results are actually limited or not.
// CustomVL_VOT_for_I_VE has no ID and does not require authorization (only public VOGs loaded).
// CustomVL_VOT_for_S_VE has no ID and does not require authorization (only public VOGs loaded).
// CustomVL_IN_GENE has no ID and does not require authorization (only public VOGs loaded).
// CustomVL_VOT_VOG_<<GENE>> is restricted per gene in the object argument, and search_transcriptid should contain a transcript ID that matches.
// CustomVL_VIEW_<<GENE>> is restricted per gene in the object argument, and search_transcriptid should contain a transcript ID that matches.
if (in_array($sObjectID, array('VariantOnTranscript,VariantOnGenome', 'VariantOnTranscriptUnique,VariantOnGenome', 'VariantOnTranscript,VariantOnGenome,Screening,Individual')) && (!isset($_REQUEST['search_transcriptid']) || !$_DB->query('SELECT COUNT(*) FROM ' . TABLE_TRANSCRIPTS . ' WHERE id = ? AND geneid = ?', array($_REQUEST['search_transcriptid'], $_REQUEST['id']))->fetchColumn())) {
die(AJAX_NO_AUTH);
if (!empty($_REQUEST['id'])) {
// CustomVL_VOT_VOG_<<GENE>> is restricted per gene in the object argument, and search_transcriptid should contain a transcript ID that matches.
// CustomVL_VIEW_<<GENE>> is restricted per gene in the object argument, and search_transcriptid should contain a transcript ID that matches.
if (in_array($sObjectID,
array(
'VariantOnTranscript,VariantOnGenome',
'VariantOnTranscriptUnique,VariantOnGenome',
'VariantOnTranscript,VariantOnGenome,Screening,Individual'
)) && (!isset($_REQUEST['search_transcriptid'])
|| !$_DB->query('SELECT COUNT(*) FROM ' . TABLE_TRANSCRIPTS . ' WHERE id = ? AND geneid = ?', array($_REQUEST['search_transcriptid'], $_REQUEST['id']))->fetchColumn())) {
die(AJAX_NO_AUTH);
}
lovd_isAuthorized('gene', $nID); // Authorize for the gene currently loaded.
} elseif ($sObjectID == 'VariantOnGenome,Scr2Var,VariantOnTranscript' && isset($_REQUEST['search_screeningid'])) {
// CustomVL_VOT_for_I_VE has no ID but authorizes on search_screeningid (can contain multiple IDs).
// CustomVL_VOT_for_S_VE has no ID but authorizes on search_screeningid.
// When receiving multiple screenings, we intend of course to authorize on its individual.
// We should not allow to add an "OR screeningid = ?" clause including an owned Screening to force authorization.
// Check if we have multiple screening IDs. If so, make sure they belong together.
$aScreeningIDs = explode('|', $_REQUEST['search_screeningid']);
if (count($aScreeningIDs) > 1) {
$nIndividuals = $_DB->query('SELECT COUNT(DISTINCT individualid) FROM ' . TABLE_SCREENINGS . ' WHERE id IN (?' . str_repeat(', ?', count($aScreeningIDs) - 1) . ')',
$aScreeningIDs)->fetchColumn();
if ($nIndividuals > 1) {
// This custom VL is only loaded for authorization on Screenings, and there's no reason to have multiple Individuals.
die(AJAX_NO_AUTH);
}
}
lovd_isAuthorized('screening', $aScreeningIDs); // Authorize for the Screening(s) currently searched (it restricts the view).
// Since we're authorizing on $_REQUEST which also contains $_POST data, make sure the $_GET (what we actually filter on) matches what we authorize on!!!
$_GET['search_screeningid'] = $_REQUEST['search_screeningid'];
}
lovd_isAuthorized('gene', $nID); // Authorize for the gene currently loaded.
}
}
......@@ -131,7 +166,18 @@ $aColsToSkip = (!empty($_REQUEST['skip'])? $_REQUEST['skip'] : array());
// about users than the info the access sharing page gives them.
if ($sObject == 'User' && $_AUTH['level'] < LEVEL_MANAGER) {
// Force removal of certain columns, regardless of this has been requested or not.
$aColsToSkip = array_unique(array_merge($aColsToSkip, array('username', 'status_', 'last_login_', 'created_date_', 'curates', 'level_')));
// We cannot trust this was set in $_SESSION already since the VL can be loaded independently.
$aColsToSkip = array_unique(
array_merge(
$aColsToSkip,
array(
'username',
'status_',
'last_login_',
'created_date_',
'curates',
'level_'
)));
}
// Managers, and sometimes curators, are allowed to download lists...
......@@ -211,7 +257,12 @@ if (POST && ACTION == 'applyFR') {
// Parameters are assumed to be in $_SESSION, only cols_to_skip can be overridden. This is for the external viewer.
$aOptions = array();
if ($aColsToSkip) {
$aOptions['cols_to_skip'] = $aColsToSkip;
// Don't let the requested list of columns overwrite the original one. Only additional columns may be hidden.
$aOptions['cols_to_skip'] = array_unique(array_merge(
(!isset($_SESSION['viewlists'][$_GET['viewlistid']]['options']['cols_to_skip'])? array()
: $_SESSION['viewlists'][$_GET['viewlistid']]['options']['cols_to_skip']),
$aColsToSkip
));
}
$_DATA->viewList($_GET['viewlistid'], $aOptions);
?>
......@@ -4,10 +4,10 @@
* LEIDEN OPEN VARIATION DATABASE (LOVD)
*
* Created : 2011-02-16
* Modified : 2018-04-13
* For LOVD : 3.0-21
* Modified : 2019-08-22
* For LOVD : 3.0-22
*
* Copyright : 2004-2017 Leiden University Medical Center; http://www.LUMC.nl/
* Copyright : 2004-2019 Leiden University Medical Center; http://www.LUMC.nl/
* Programmers : Ivar C. Lugtenburg <I.C.Lugtenburg@LUMC.nl>
* Ivo F.A.C. Fokkema <I.F.A.C.Fokkema@LUMC.nl>
* Daan Asscheman <D.Asscheman@LUMC.nl>
......@@ -62,8 +62,8 @@ if ((PATH_COUNT == 1 || (!empty($_PE[1]) && !ctype_digit($_PE[1]))) && !ACTION)
}
}
// Managers are allowed to download this list...
if ($_AUTH['level'] >= LEVEL_MANAGER) {
// Managers and authorized curators are allowed to download this list...
if ($_AUTH['level'] >= LEVEL_CURATOR) {
define('FORMAT_ALLOW_TEXTPLAIN', true);
}
......@@ -81,7 +81,7 @@ if ((PATH_COUNT == 1 || (!empty($_PE[1]) && !ctype_digit($_PE[1]))) && !ACTION)
$_DATA = new LOVD_Individual();
$aVLOptions = array(
'cols_to_skip' => $aColsToHide,
'show_options' => ($_AUTH['level'] >= LEVEL_MANAGER),
'show_options' => ($_AUTH['level'] >= LEVEL_CURATOR),
'find_and_replace' => true,
);
$_DATA->viewList('Individuals', $aVLOptions);
......@@ -168,7 +168,9 @@ if (PATH_COUNT == 2 && ctype_digit($_PE[1]) && !ACTION) {
'cols_to_skip' => array('screeningid', 'individualid', 'created_date', 'edited_date'),
'track_history' => false,
'show_navigation' => false,
'show_options' => ($_AUTH['level'] >= LEVEL_CURATOR),
);
// This ViewList ID is checked in ajax/viewlist.php. Don't just change it.
$_DATA->viewList('Screenings_for_I_VE', $aScreeningVLOptions);
unset($_GET['search_individualid']);
......@@ -180,7 +182,7 @@ if (PATH_COUNT == 2 && ctype_digit($_PE[1]) && !ACTION) {
// VOG needs to be first, so it groups by the VOG ID.
$_DATA = new LOVD_CustomViewList(array('VariantOnGenome', 'Scr2Var', 'VariantOnTranscript'));
$aVariantVLOptions = array(
'show_options' => ($_AUTH['level'] >= LEVEL_MANAGER),
'show_options' => ($_AUTH['level'] >= LEVEL_CURATOR),
);
$_DATA->viewList('CustomVL_VOT_for_I_VE', $aVariantVLOptions);
}
......
......@@ -4,7 +4,7 @@
* LEIDEN OPEN VARIATION DATABASE (LOVD)
*
* Created : 2011-03-18
* Modified : 2019-08-07
* Modified : 2019-08-22
* For LOVD : 3.0-22
*
* Copyright : 2004-2019 Leiden University Medical Center; http://www.LUMC.nl/
......@@ -144,7 +144,7 @@ if (PATH_COUNT == 2 && ctype_digit($_PE[1]) && !ACTION) {
$_DATA = new LOVD_CustomViewList(array('VariantOnGenome', 'Scr2Var', 'VariantOnTranscript'));
$aVLOptions = array(
'cols_to_skip' => array('transcriptid'),
'show_options' => ($_AUTH['level'] >= LEVEL_MANAGER),
'show_options' => ($_AUTH['level'] >= LEVEL_CURATOR),
);
$_DATA->viewList('CustomVL_VOT_for_S_VE', $aVLOptions);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment