CDR Tickets

Issue Number 5354
Summary Suppress ad-hoc query page for unprivileged users
Created 2024-12-20 11:44:47
Issue Type Improvement
Submitted By Kline, Bob (NIH/NCI) [C]
Assigned To Kline, Bob (NIH/NCI) [C]
Status QA Verified
Resolved 2024-12-20 12:18:11
Resolution Fixed
Path /home/bkline/backups/jira/ocecdr/issue.484517
Description

Prevent users who are not members of the Board Managers, CIAT/OCC, or Developers menu group from seeing or using the ad-hoc query page.

Acceptance criteria:

  1. log on to CDR admin using an account which is a member of at least one of the groups named above

  2. verify that the footer contains a link labeled Queries

  3. verify that the link brings up a separate browser tab with the title CDR Stored Database Queries

  4. confirm that stored queries can be selected and run, and that new queries can be run successfully

  5. run the query SELECT title FROM document WHERE id = 49 and confirm that it runs successfully

  6.  submit the query UPDATE document SET title = 'bogus' WHERE id = 49 and confirm that it is rejected

  7. log off

  8. open https://cdr-qa.cancer.gov/cgi-bin/cdr/Admin.py?Session=guest in your browser (adjusting the URL to match the tier on which you are testing)

  9. verify that the Queries link does not appear in the footer

  10. open https://cdr-qa.cancer.gov/cgi-bin/cdr/CdrQueries.py?Session=guest in your browser (adjusting the URL to match the tier on which you are testing)

  11. confirm that the notification "Not permitted" is displayed

Comment entered 2024-12-20 11:45:39 by Kline, Bob (NIH/NCI) [C]

This has been implemented on CDR QA. Please test, .

Comment entered 2024-12-20 12:18:03 by Osei-Poku, William (NIH/NCI) [C]

Verified on QA. Thanks!

Comment entered 2024-12-20 13:01:56 by Kline, Bob (NIH/NCI) [C]

Good, thanks. I'll get CBIIT to patch STAGE and we can have them re-run the scan. Will keep you posted.

Comment entered 2024-12-20 14:20:36 by Kline, Bob (NIH/NCI) [C]

NCI-RITM0569410 is the ticket for having CBIIT patch CDR STAGE. is the watcher.

Comment entered 2024-12-23 12:19:49 by Osei-Poku, William (NIH/NCI) [C]

It looks like CBIIT has patched STAGE. The acceptance criteria passed on STAGE. Let me know if I should inform CBIIT that the vulnerability has been addressed.

Elapsed: 0:00:00.001370