[dicom_archive] Dicom archive siteproject main (#9549)

This adds advanced site and project permissions to the dicom archive.
It is designed to be fully backwards compatible based on the
`useImagingSiteProjectPermissions` configuration setting. Here is how
the permissions are designed to work

- If useImagingSiteProjectPermissions is disabled (status-quo)
  - A user with dicom_archive_allsites can see all the data (DEFAULT)
- A user with own sites can only see data at their own sites (can not
see data with no session ID)
- A user with own sites and nosessionid permission can see their site
data + dicoms not associated to a session
  - A user can always see DICOMS of scans they uploaded
- If useImagingSiteProjectPermissions is enabled
- A user with all sites permissions can see all the data from all sites
as long as the projectID is defined and they are affiliated with that
project (null sessions WILL NOT SHOW)
- A user with own sites, same logic, only projects they are affiliated
with (NO NULL sessions)
- A user with either site permissions + nosessionID permission can see
respectively the same as above + DICOMS not affiliated to a sessions
  - A user can always see DICOMS they have uploaded


TO BE NOTED: The core of this is the work done in the
`dicom_archive::getDataProvisionerWithFilters()` function. The code
there could have been made slightly more concise but I wrote it in that
way because I would like it to eventually become the DEFAULT
dataframework filtering logic since it accounts for most if not all
usecases (replacing the current UserSiteMatchOrHasAnyPermissions). It
defines flags that I would like to make standard going forward like
`dataSessionCanBeNull` where multiple module seem to lack a session
related to the resource.

Author: ridz1208

SQL/0000-00-02-Permission.sql

@@ -144,7 +144,9 @@ INSERT INTO `permissions` (code, description, moduleID, action, categoryID) VALU
     ('issue_tracker_close_site_issue','Issues - Own Sites',(SELECT ID FROM modules WHERE Name = 'issue_tracker'),'Close',2),
     ('issue_tracker_close_all_issue','Issues - All Sites',(SELECT ID FROM modules WHERE Name = 'issue_tracker'),'Close',2),
     ('imaging_uploader_ownsites', 'Imaging Scans - Own Sites', (SELECT ID FROM modules WHERE Name='imaging_uploader'), 'View', '2'),
-    ('imaging_uploader_nosessionid', 'Imaging Scans with no session ID', (SELECT ID FROM modules WHERE Name='imaging_uploader'), 'View', '2')
+    ('imaging_uploader_nosessionid', 'Imaging Scans with no session ID', (SELECT ID FROM modules WHERE Name='imaging_uploader'), 'View', '2'),
+    ('dicom_archive_nosessionid', 'DICOMs with no session ID', (SELECT ID FROM modules WHERE Name='dicom_archive'), 'View', '2'),
+    ('dicom_archive_view_ownsites', 'DICOMs - Own Sites', (SELECT ID FROM modules WHERE Name='dicom_archive'), 'View', '2')
     ;
 
 INSERT INTO `user_perm_rel` (userID, permID)

SQL/0000-00-03-ConfigTables.sql

@@ -101,7 +101,6 @@ INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType,
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'tblScanTypes', 'Scan types from the mri_scan_type table that the project wants to see displayed in Imaging Browser table', 1, 1, 'scan_type', ID, 'Imaging Browser Tabulated Scan Types', 7 FROM ConfigSettings WHERE Name="imaging_modules";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'ImagingBrowserLinkedInstruments', 'Instruments that the users want to see linked from Imaging Browser', 1, 1, 'instrument', ID, 'Imaging Browser Links to Instruments', 8 FROM ConfigSettings WHERE Name="imaging_modules";
 
-
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, Label, OrderNumber) VALUES ('statistics', 'Statistics module settings', 1, 0, 'Statistics', 7);
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'excludedMeasures', 'Instruments to be excluded from Statistics calculations', 1, 1, 'instrument', ID, 'Excluded instruments', 1 FROM ConfigSettings WHERE Name="statistics";
 

SQL/New_patches/2025-01-31-dicom_archive_permissions.sql

@@ -0,0 +1,5 @@
+INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+SELECT 'dicom_archive_nosessionid', 'DICOMs with no session ID', ID, 'View', 2 FROM modules WHERE Name='dicom_archive';
+
+INSERT INTO permissions (code, description, moduleID, `action`, categoryID)
+SELECT 'dicom_archive_view_ownsites', 'DICOMs - Own Sites', ID, 'View', 2 FROM modules WHERE Name='dicom_archive';

modules/dicom_archive/README.md

@@ -25,8 +25,35 @@ user's system.
 
 ## Permissions
 
-The permission `dicom_archive_view_allsites` is required to access
-the DICOM Archive module.
+*In the interest of backward compatibility, permission behaviour varies slightly 
+based on the `useAdvancedPermissions` configuration*
+
+Any of the following permissions grants access to the module.
+
+`dicom_archive_view_allsites`: 
+ - If `useAdvancedPermissions` is disabled, this permission gives access 
+ to all DICOMs in the database (backward compatible with projects not requiring a 
+ session ID to be defined).
+ - If `useAdvancedPermissions` is enabled, this permission gives access to 
+ all DICOMs as long as they are associated to a session and the session is affiliated
+ to a project that the user is affiliated with. When combined with 
+ `dicom_archive_nosessionid`, user gets access to their projects' data as well as 
+ DICOMs with no session ID associated.
+
+`dicom_archive_view_ownsites`: 
+ - If `useAdvancedPermissions` is disabled, this permission gives access 
+ to all DICOMs as long as they are associated to a session and the session is affiliated
+ to a site that the user is affiliated with. When combined with 
+ `dicom_archive_nosessionid`, user gets access to their sites' data as well as 
+ DICOMs with no session ID associated.
+ - If `useAdvancedPermissions` is enabled, this permission gives access to 
+ all DICOMs as long as they are associated to a session and the session is affiliated
+ to both a site and a project that the user is affiliated with. When combined with 
+ `dicom_archive_nosessionid`, user gets access to their sites' and projects' data as well as 
+ DICOMs with no session ID associated.
+
+Note that if you have access to the module, you will always see DICOMS uploaded by 
+your own user regardless of their site and project affiliation.
 
 ## Configurations
 
@@ -46,6 +73,14 @@ The `showTransferStatus` configuration option is obsolete and should
 not be used, but determines if a first "Transfer Status" column
 appears in the menu table.
 
+The `useAdvancedPermissions` configuration enables more advanced Site and 
+Project access control (Although Site permissions are enabled without this 
+configuration, "all sites" gives access to DICOMS with no Session ID if this 
+configuration is turned off). If enabled, users accessing the module can only see 
+DICOMs where a session ID has been found and are thus linked to the site and project 
+of the session AND the site and project match the user's. Access to DICOMs with no 
+session is granted by the `dicom_archive_nosessionid` permission (see permissions section)
+
 #### Install Configurations
 
 For downloading large DICOM files, it may be necessary to increase the 

modules/dicom_archive/php/dicom_archive.class.inc

@@ -15,6 +15,14 @@
  */
 namespace LORIS\dicom_archive;
 
+use LORIS\Data\Filters\CompositeORFilter;
+use LORIS\Data\Filters\CompositeANDFilter;
+use LORIS\Data\Filters\UserSiteMatch;
+use LORIS\Data\Filters\UserHasAnyPermission;
+use LORIS\Data\Filters\UserProjectMatch;
+use LORIS\Data\Filters\ResourceHasNoSession;
+use LORIS\Data\Filters\UserIsCreator;
+
 /**
  * Provides the PHP code for the menu filter for the dicom archive
  *
@@ -27,6 +35,7 @@ namespace LORIS\dicom_archive;
  */
 class Dicom_Archive extends \DataFrameworkMenu
 {
+    protected $dataSessionCanBeNull = true;
 
     /**
      * Determine whether the user has permission to view this page
@@ -37,7 +46,12 @@ class Dicom_Archive extends \DataFrameworkMenu
      */
     function _hasAccess(\User $user) : bool
     {
-        return $user->hasPermission('dicom_archive_view_allsites');
+        return $user->hasAnyPermission(
+            [
+                'dicom_archive_view_allsites',
+                'dicom_archive_view_ownsites',
+            ]
+        );
     }
 
     /**
@@ -59,7 +73,24 @@ class Dicom_Archive extends \DataFrameworkMenu
      */
     public function useProjectFilter() : bool
     {
-        return false;
+        // Only enable project filtering if the site project permissions are enabled
+        // to be compatible with projects not requiring a session ID for all DICOMS
+        $config           = \NDB_Factory::singleton()->config();
+        $siteprojectperms = $config->getSetting(
+            'useAdvancedPermissions'
+        );
+        return $siteprojectperms === 'true';
+    }
+
+    /**
+     * Determines which permissions (if any) allows the user access to resources
+     * where the project is null.
+     *
+     * @return ?array
+     */
+    public function nullSessionPermissionNames() : ?array
+    {
+        return ['dicom_archive_nosessionid'];
     }
 
     /**
@@ -92,6 +123,75 @@ class Dicom_Archive extends \DataFrameworkMenu
         return $provisioner;
     }
 
+    /**
+     * Return a data provisioner of the same type as BaseDataProvisioner, with
+     * default LORIS filters applied. A subclass may override this to remove (or
+     * change) filters.
+     *
+     * @return \LORIS\Data\Provisioner a provisioner with default filters added
+     */
+    public function getDataProvisionerWithFilters() : \LORIS\Data\Provisioner
+    {
+        $provisioner      = $this->getBaseDataProvisioner();
+        $allSitePerms     = $this->allSitePermissionNames();
+        $nullSessionPerms = $this->nullSessionPermissionNames();
+
+        // Set filter default returns based on if the data loaded by this module can
+        // have or not a null session
+        $defaultReturn = $this->dataSessionCanBeNull ? false : null;
+
+        //Default filter to User Site Match
+        $filter = new UserSiteMatch($defaultReturn);
+
+        //Combine filter with Null session permissions if data can have null sessions
+        if ($this->dataSessionCanBeNull) {
+            $filter = new CompositeORFilter(
+                $filter,
+                new CompositeANDFilter(
+                    new UserHasAnyPermission($nullSessionPerms),
+                    new ResourceHasNoSession(),
+                ),
+            );
+        }
+
+        // If the user has any of the All Site permissions, combine as an OR filter
+        if (!empty($allSitePerms)) {
+            $filter = new CompositeORFilter(
+                $filter,
+                new UserHasAnyPermission($allSitePerms),
+            );
+        }
+
+        // Check if module uses Project filters
+        if ($this->useProjectFilter()) {
+            //Default project filter to User Project Match
+            $projectFilter = new UserProjectMatch($defaultReturn);
+
+            // Check if resources with null project should be included in the results
+            if (!empty($nullSessionPerms)) {
+                $projectFilter = new CompositeORFilter(
+                    new CompositeANDFilter(
+                        new ResourceHasNoSession(),
+                        new UserHasAnyPermission($nullSessionPerms)
+                    ),
+                    new UserProjectMatch($defaultReturn)
+                );
+            }
+
+            $filter = new CompositeANDFilter($filter, $projectFilter);
+        }
+
+        // Final filter, check if the user looking at the data is the user that
+        // uploaded the data
+        $filter = new CompositeORFilter(
+            $filter,
+            new UserIsCreator(),
+        );
+
+        $provisioner = $provisioner->filter($filter);
+        return $provisioner;
+    }
+
     /**
      * Overrides base getJSDependencies() to add support for dicom specific
      * React column formatters.

modules/dicom_archive/php/dicomarchiveanonymizer.class.inc

@@ -99,10 +99,20 @@ class DICOMArchiveAnonymizer implements Mapper
         }
 
         if (!$resource instanceof \LORIS\StudyEntities\SiteHaver) {
-            return new DICOMArchiveRowWithoutSession($newrow);
+            '@phan-var object $resource';
+            return new DICOMArchiveRowWithoutSession(
+                $newrow,
+                $resource->CreatedBy()
+            );
         } else {
-            $cid = $resource->getCenterID();
-            return new DICOMArchiveRowWithSession($newrow, $cid);
+            '@phan-var object $resource';
+            return new DICOMArchiveRowWithSession(
+                $newrow,
+                $resource->getCenterID(),
+                $resource->getProjectID(),
+                $resource->getSessionID(),
+                $resource->CreatedBy()
+            );
         }
     }
 }

modules/dicom_archive/php/dicomarchiverowprovisioner.class.inc

@@ -56,7 +56,9 @@ class DicomArchiveRowProvisioner extends \LORIS\Data\Provisioners\DBRowProvision
             t.TarchiveID AS TarchiveID,
             s.ID AS SessionID,
             s.CenterID AS CenterID,
-            m.IsPhantom AS IsPhantom
+            s.ProjectID AS ProjectID,
+            m.IsPhantom AS IsPhantom,
+            t.CreatingUser
             FROM tarchive t
                   LEFT JOIN session s ON (s.ID=t.SessionID)
                   LEFT JOIN candidate c ON (c.ID=s.CandidateID)
@@ -77,12 +79,23 @@ class DicomArchiveRowProvisioner extends \LORIS\Data\Provisioners\DBRowProvision
      */
     public function getInstance($row) : \LORIS\Data\DataInstance
     {
-        if ($row['CenterID'] !== null) {
+        $creator = \User::factory($row['CreatingUser']);
+
+        if ($row['CenterID'] !== null
+            && $row['ProjectID'] !== null
+            && $row['SessionID'] !== null
+        ) {
             $cid = \CenterID::singleton(intval($row['CenterID']));
+            $pid = \ProjectID::singleton(intval($row['ProjectID']));
+            $sid = new \SessionID(strval($row['SessionID']));
             unset($row['CenterID']);
-            return new DICOMArchiveRowWithSession($row, $cid);
+            unset($row['ProjectID']);
+            unset($row['CreatingUser']);
+            return new DICOMArchiveRowWithSession($row, $cid, $pid, $sid, $creator);
         }
         unset($row['CenterID']);
-        return new DICOMArchiveRowWithoutSession($row);
+        unset($row['ProjectID']);
+        unset($row['CreatingUser']);
+        return new DICOMArchiveRowWithoutSession($row, $creator);
     }
 }

modules/dicom_archive/php/dicomarchiverowwithoutsession.class.inc

@@ -29,19 +29,43 @@ namespace LORIS\dicom_archive;
 class DICOMArchiveRowWithoutSession implements \LORIS\Data\DataInstance
 {
     protected $DBRow;
+    protected $CreatedBy;
+
 
     /**
      * Create a new DICOMArchiveRow without a session.
      *
      * Session-less DICOMArchiveRows do not have CenterIDs to be filtered
      * by.
      *
-     * @param array $row The row (in the same format as \Database::pselectRow
-     *                   returns)
+     * @param array $row     The row (in the same format as \Database::pselectRow
+     *                       returns)
+     * @param \User $creator The user who created this row
+     */
+    public function __construct(array $row, \User $creator)
+    {
+        $this->DBRow     = $row;
+        $this->CreatedBy = $creator;
+    }
+
+    /**
+     * Returns Null always since this class is specifically for no session IDs.
+     *
+     * @return ?\SessionID The SessionID
      */
-    public function __construct(array $row)
+    public function getSessionID(): ?\SessionID
     {
-        $this->DBRow = $row;
+        return null;
+    }
+
+    /**
+     * Return the User who created this row.
+     *
+     * @return \User The user who created this row
+     */
+    public function createdBy() : \User
+    {
+        return $this->CreatedBy;
     }
 
     /**
@@ -53,4 +77,6 @@ class DICOMArchiveRowWithoutSession implements \LORIS\Data\DataInstance
     {
         return $this->DBRow;
     }
+
+
 }