From 13ee60ee4c557a16007df7ce637bf67ea806c820 Mon Sep 17 00:00:00 2001 From: Nick Kennedy Date: Tue, 11 Aug 2020 11:09:12 +0000 Subject: [PATCH 1/3] Check user rights for form This check should prevent the access denied error described in #57. Currently always checks against the logged in user and ignores the "View project as user" option. --- ExternalModule.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ExternalModule.php b/ExternalModule.php index 4905b98..54e3d66 100644 --- a/ExternalModule.php +++ b/ExternalModule.php @@ -396,6 +396,7 @@ protected function loadFRSL($location, $record = null, $event_id = null, $instru $next_step_path = ''; $forms_access = $this->getFormsAccessMatrix($event_id, $record); + $user_rights_forms = reset(REDCap::getUserRights(USERID))['forms']; if ($record && $event_id && $instrument) { $instruments = $Proj->eventsForms[$event_id]; @@ -405,7 +406,7 @@ protected function loadFRSL($location, $record = null, $event_id = null, $instru $len = count($instruments); while ($i < $len) { - if ($curr_forms_access[$instruments[$i]]) { + if ($curr_forms_access[$instruments[$i]] && $user_rights_forms[$instruments[$i]]) { $next_instrument = $instruments[$i]; break; } From 61d19ca051844fdce21cb23e85a4afbc0fa3ea5d Mon Sep 17 00:00:00 2001 From: Nick Kennedy Date: Tue, 11 Aug 2020 18:00:12 +0000 Subject: [PATCH 2/3] Added code to handle impersonating users --- ExternalModule.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ExternalModule.php b/ExternalModule.php index 54e3d66..feca391 100644 --- a/ExternalModule.php +++ b/ExternalModule.php @@ -17,6 +17,7 @@ use Survey; use RCView; use REDCap; +use UserRights; /** * ExternalModule class for REDCap Form Render Skip Logic. @@ -396,7 +397,8 @@ protected function loadFRSL($location, $record = null, $event_id = null, $instru $next_step_path = ''; $forms_access = $this->getFormsAccessMatrix($event_id, $record); - $user_rights_forms = reset(REDCap::getUserRights(USERID))['forms']; + $current_user = UserRights::isImpersonatingUser() ? UserRights::getUsernameImpersonating() : USERID; + $user_rights_forms = reset(REDCap::getUserRights($current_user))['forms']; if ($record && $event_id && $instrument) { $instruments = $Proj->eventsForms[$event_id]; From af8389f7ff19d8653c869b9665a3d945aea2ecbb Mon Sep 17 00:00:00 2001 From: Nick Kennedy Date: Tue, 11 Aug 2020 18:22:05 +0000 Subject: [PATCH 3/3] Fix for issue #68 Makes use of auto parameter when redirecting which instructs REDCap to replace the id with the correct one --- ExternalModule.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ExternalModule.php b/ExternalModule.php index feca391..af953e8 100644 --- a/ExternalModule.php +++ b/ExternalModule.php @@ -418,7 +418,7 @@ protected function loadFRSL($location, $record = null, $event_id = null, $instru if (isset($next_instrument)) { // Path to the next available form in the current event. - $next_step_path = APP_PATH_WEBROOT . 'DataEntry/index.php?pid=' . $Proj->project_id . '&id=' . $record . '&event_id=' . $event_id . '&page=' . $next_instrument; + $next_step_path = APP_PATH_WEBROOT . 'DataEntry/index.php?auto=1&pid=' . $Proj->project_id . '&id=' . $record . '&event_id=' . $event_id . '&page=' . $next_instrument; // If this is a repeating event, maintain the instance if ($Proj->hasRepeatingFormsEvents() && $instance) { @@ -432,7 +432,7 @@ protected function loadFRSL($location, $record = null, $event_id = null, $instru if (!$forms_access[$record][$event_id][$instrument]) { if (!$next_step_path) { $arm = $event_id ? $Proj->eventInfo[$event_id]['arm_num'] : $this->getQueryParam('arm', 1); - $next_step_path = APP_PATH_WEBROOT . 'DataEntry/record_home.php?pid=' . $Proj->project_id . '&id=' . $record . '&arm=' . $arm; + $next_step_path = APP_PATH_WEBROOT . 'DataEntry/record_home.php?auto=1&pid=' . $Proj->project_id . '&id=' . $record . '&arm=' . $arm; } $this->redirect($next_step_path);