1. 05 Sep, 2019 4 commits
  2. 04 Sep, 2019 4 commits
    • Ivo Fokkema's avatar
      Finally figured out what was breaking the tests; apparently something our... · 309037a6
      Ivo Fokkema authored
      Finally figured out what was breaking the tests; apparently something our tested PHP versions don't have.
      - Fixed parse error in object_phenotypes.php.
      - Re-enabled all tests.
      309037a6
    • Ivo Fokkema's avatar
      e87fe05a
    • Ivo Fokkema's avatar
    • Ivo Fokkema's avatar
      More fixes in the tests. · 46f3bd10
      Ivo Fokkema authored
      - Removed duplication in tests; there were three login tests that all did the same.
      - Removed duplication in tests; there were two IVA disease creation tests, and one created an additional disease. This is confusing and useless duplication of code; split these features.
      - When enabling the Individual/Gender column, the test wasn't checking if that was successful.
      - Fixed wrong variable name in install_LOVD.php script.
      - The screenshot uploader now also will dump the last lines of Apache's error log, which should contain PHP errors. This may confirm my theory that the tests are failing because PHP warnings due to a WIP commit have turned into fatal errors (perhaps because of xdebug that I can't seem to turn off?).
      46f3bd10
  3. 03 Sep, 2019 3 commits
  4. 29 Aug, 2019 10 commits
  5. 28 Aug, 2019 7 commits
  6. 27 Aug, 2019 2 commits
  7. 26 Aug, 2019 1 commit
    • Ivo Fokkema's avatar
      Fixed bug; When importing, LOVD could have used the wrong data for checking... · 6a7a40e8
      Ivo Fokkema authored
      Fixed bug; When importing, LOVD could have used the wrong data for checking the panelid, fatherid and motherid links.
      - Links to records in the file should take preference over links with database entries, instead of the other way around.
      - Links to the own ID aren't allowed, so stop throwing additional, confusing, error messages.
      - The panel size was checked only when the Individual/Gender column was active.
      - Also, checking for the Individual/Gender column happened once or twice per data row, instead of once per import.
      6a7a40e8
  8. 22 Aug, 2019 6 commits
    • Ivo Fokkema's avatar
      Merge pull request #392 from LOVDnl/fix/VLsecurity. · 702374d5
      Ivo Fokkema authored
      Several fixes in the security of ViewLists.
      702374d5
    • Ivo Fokkema's avatar
      Allow Curators to also download more ViewLists. · f07395f8
      Ivo Fokkema authored
      - Allow Curators to download the gene-specific Individuals view.
      - Now that we have code authorizing Curators for VLs on the Individual's VE, let Curators download the Screening and Variant VLs there.
      - Now that we have code authorizing Curators for the Variants VL on the Screenings VE, let Curators download it.
      f07395f8
    • Ivo Fokkema's avatar
      Fixed bug; Screening ViewList on Individual VE was authorized for Curators, but the Ajax-VL wasn't. · c50552ea
      Ivo Fokkema authored
      - This means Curators couldn't search for non-public Screenings on the VL on this VE.
      - Now it loads the needed authorization.
      c50552ea
    • Ivo Fokkema's avatar
      Fixed bug; Variant ViewLists on Individual and Screening VEs were authorized... · 224504cb
      Ivo Fokkema authored
      Fixed bug; Variant ViewLists on Individual and Screening VEs were authorized for Curators, but the Ajax-VL wasn't.
      - This means Curators can't search for non-public variants on the VL on either of these VEs.
      - Now it loads the needed authorization.
      224504cb
    • Ivo Fokkema's avatar
      Made it a bit harder for ViewLists to get their ColsToSkip overridden. · 30a38232
      Ivo Fokkema authored
      - Hiding columns for a VL is stored in session upon defining the VL. However, VLs can be loaded independently of being defined first, for the External Viewer.
      - To allow for the External Viewer to hide columns, VLs could be told to hide additional columns. However, this was overwriting the current list of hidden columns, allowing special requests that would columns previously hidden.
      - For the Users VL, which was opened up to Submitters due to the Colleagues feature, overwriting the ColsToSkip was prevented in the VL code specifically, to hide sensitive data.
      - Added a global solution that makes sure for other VLs the list doesn't get overwritten either, but merged instead. This prevents pre-defined VLs to lose their ColsToSkip using specially crafted requests.
      - However, as the External Viewer just loads undefined VLs, it can be configured to show all columns in these VLs. As such, if the ColsToSkip feature is ever used to hide sensitive data, these columns need to be defined in the VL code itself.
      30a38232
    • Ivo Fokkema's avatar
      Fixed security issue in loading the authorization for ViewLists. · 849fcb82
      Ivo Fokkema authored
      - During Find & Replace implementation, the code was changed to load the gene-specific authorization using $_REQUEST rather than $_GET. However, the filtering of the results was still using $_GET. Hence, authorizations can be loaded forging a $_POST request while not necessarily filtering the results using $_GET.
      - This allowed Curators to craft special requests to load VLs with non-public data of other genes.
      - Solved this by enforcing filtering when authorizing Curators.
      849fcb82
  9. 21 Aug, 2019 3 commits