Modify the access control/authorization endpoint used by Orthanc (imaging servers) so that it includes the server ID in the URL
Presently, there is only a single authorization endpoint used by Orthanc to verify that users have permissions to access a resource. This architecture is limited in that the Orthanc advanced authorization plugin does not include a payload that identifies the server. The present authorization of resources, therefore, is not tied to a specific server instance.
The long-term solution to handling authorization for Orthanc services is to implement a "filter" method within the Sonador Orthanc plugin (see oak-tree/medical-imaging/orthanc-sonador#2 (closed) for details). A server-specific endpoint in Sonador should be compatible with either the existing Osimis Advanced Authorization plugin, or from a custom filter method in the plugin, however.
Development tasks:
-
Modify the existing URL pattern to include a {{ serverid }}
parameter that can be used to retrieve the Orthanc instance which should be checked for permissions. The existing "global" path should be kept, but marked as "deprecated" (with a warning). The server instance for the global path should be taken from the "default" for the Sonador installation. -
Incorporate a "server" parameter in the existing permissions form so that it is possible to create access control policy (ACL) for ORthanc resources and associate them with a specific group. For a POC implementation, I think it makes sense to utilize the built-in Django groups feature. If that is insufficient, we might look at either a secondary structure or a custom groups implementation. -
Implement a stub "access control policy" class that can be used to expose the ACL policy logic (similar to how wgtauth
works) to system administrators so that custom policies can be written without needing to modify the source code of Sonador.
Due to the way that the current advanced authorization plugin works, permissions can only be applied to resources that are requested from the REST or the DICOMweb API.