File orthanc-authorization.changes of Package orthanc-authorization

-------------------------------------------------------------------
Mon Aug 18 13:53:03 UTC 2025 - Axel Braun <axel.braun@gmx.de>

- version 0.10.1
  * Fix audit-logs export in CSV format.
  * New configuration "ExtraPermissions" to ADD new permissions to
    the default "Permissions" entries.
  * Improved handling of "Anonymous" user profiles (when no auth-tokens
    are provided):  The plugin will now request the auth-service to
    get an anonymous user profile even if there are no auth-tokens in the
    HTTP request.
  * The User profile can now contain a "groups" field if the auth-service
    provides it.
  * The User profile can now contain an "id" field if the auth-service
    provides it.
  * New experimental feature: audit-logs
    - Enabled by the "EnableAuditLogs" configuration.
    - Audit-logs are currently handled by the PostgreSQL plugin and can be 
      browsed through the route /auth/audit-logs.
    - New default permission "audit-logs" to grant access to the 
      "/auth/audit-logs" route.
  * Fix: The "server-id" field is now included in all requests sent to the
    auth-service.

-------------------------------------------------------------------
Mon Jul 14 12:56:31 UTC 2025 - Axel Braun <axel.braun@gmx.de>

- version 0.9.4
  * Fixed a security issue: the entries in the cache token->permissions were kept too long in the cache
  allowing users to have access to generic routes even with an expired token.
  These entries are now stored maximum for 10 seconds.
  Note that the validity duration of the token->user-profile entries is determined by the auth-service;
  typically 60 seconds.
  * New default permissions to Q&R remote modalities
  * The /tokens/decode route now returns 2 additionnal fields:
    "ResourcesDicomIds" and "ResourcesOrthancIds".
    This will only work if the authorization service returns a "resources" field to the /tokens/decode route.
  * Maintenance: Use Orthanc SDK 1.12.4 by default to benefit from more detailed logging.
  * Fix default permission for /dicom-web/servers/../stow
  * When calling /dicom-web/studies with a resource token when no StudyInstanceUID 
    is specified in the query args, the plugin now adds a filter on StudyInstanceUID=X|Y where
    X & Y are the StudyInstanceUIDs of the resource token.  
    This will only work if the authorization service returns a "resources" field to the /tokens/decode route.  
    This notably prevents OHIF to display errors when requesting 
    prior studies while still preserving the security since only the authorized resources are returned.

-------------------------------------------------------------------
Mon May  5 19:26:55 UTC 2025 - Axel Braun <axel.braun@gmx.de>

- Version 0.9.2
  * When calling /dicom-web/studies with a resource token when no StudyInstanceUID 
    is specified in the query args, the plugin now returns an empty list of resources
    instead of returning a 403.  This notably prevents OHIF to display errors when requesting 
    prior studies while still preserving the security since no resources are returned.
  * Added support for /dicom-web/studies/../thumbnail.
  * static_build.patch removed (upstream)
  
-------------------------------------------------------------------
Thu Apr 10 17:08:28 UTC 2025 - Axel Braun <axel.braun@gmx.de>

- version 0.9.1
  * static_build.patch added
  * The plugin is now using the HttpClient from the Orthanc core instead of its
    own HttpClient which should enable support for https since the plugin
    is not built with SSL support.
  * New default permission to upload to ^/DICOM_WEB_ROOT/studies/([.0-9]+)
    (https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=244)

-------------------------------------------------------------------
Thu Feb 27 18:14:19 UTC 2025 - Axel Braun <axel.braun@gmx.de>

- version 0.9.0
  * The plugin now filters out all unauthorized labels from the "Labels" fields
    in the responses of these API routes:
    - /tools/find
    - /studies/{id} & similar routes
    - /studies/{id}/series & similar routes
    - /series/{id}/study & similar routes
    - /series/{id}/labels & similar routes
    In the past, this was only done in /tools/labels
  * Allow using the auth-plugin together with "AuthenticationEnabled": true.
    https://discourse.orthanc-server.org/t/user-based-access-control-with-label-based-resource-access/5454
  * Added a default permission for /auth/tokens/volview-viewer-publication
  * New standard configuration "volview"

-------------------------------------------------------------------
Fri Jan 24 11:54:53 UTC 2025 - Axel Braun <axel.braun@gmx.de>

- version 0.8.2
  * initial OBS build