[bot] Merge 25.7 to 25.11#1160
Open
github-actions[bot] wants to merge 3 commits into
Open
Conversation
#### Rationale EHR_BillingManager.deleteBillingRuns() filtered the invoice, invoicedItems, and miscCharges tables by objectid/invoiceId alone, with no container clause. Since DeleteBillingPeriodAction only checks EHR_BillingAdminPermission in the current container, a billing admin in one container could delete invoices and invoiced items, or detach misc charges, in any other container by submitting foreign objectids. All filters are now container-scoped via SimpleFilter.createContainerFilter(). #### Related Pull Requests * None #### Changes * EHR_BillingManager: all delete/preview filters in deleteBillingRuns() are now container-scoped via a new createContainerScopedInFilter() helper. * EHR_BillingManager.TestCase: new integration test that seeds a complete billing run in each of two folders and verifies cross-container ids are ignored by both the testOnly preview and the actual delete, while same-container deletion still removes the run and detaches its misc charges. * EHR_BillingModule: registers the test via getIntegrationTests().
…ner authz (#1152) #### Rationale Two related EHR security items surfaced during a security review. (1) EHRDemographicsService serves animal records built under the elevated EHR service user (EHRService.getEHRUser), so callers receive aggregated demographic/derived fields regardless of their per-dataset / QCState row permissions — and many DemographicsProviders set _supportsQCState=false, applying no QCState filter at all. This is intended behavior (within an EHR study folder, Read access is the trust boundary for the demographics summary, which backs the shared EHR.DemographicsCache UIs), so it is now documented in code to prevent a future caller from re-exposing these records at a lower trust boundary. (2) SetGeneticCalculationTaskSettingsAction enforced AdminPermission only on the request container while resolving and acting on a caller-supplied containerPath for the server-global genetic-calculation schedule, so a user who administers the request container could point the schedule at a container they do not administer. That gap is closed and covered by an integration test. #### Related Pull Requests * None #### Changes * Document elevated-access-by-design on EHRDemographicsServiceImpl.getAnimals and EHRController.GetDemographicsAction, warning callers not to forward these records to a lower trust boundary without re-securing them against the consuming user. * Re-verify AdminPermission on the resolved target container in SetGeneticCalculationTaskSettingsAction and throw UnauthorizedException when the caller does not administer it. * Add EHRController.TestCase, an integration test verifying that a user who administers the request container but not the resolved target is rejected while a user who administers the target succeeds; registered in EHRModule.getIntegrationTests().
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generated automatically.
Merging changes from: 34d2839
Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
Verify all PRs before approving: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=25.11_fb_bot_merge_25.7