Orthanc in a multiuser environment

I am running Orthanc to store and retrieve cardiac angiography and cardiac catheterisation studies over the department network. It is working very well for me. I wish to allow all the faculty (8 in no.) access to it, with following restrictions -

  1. Everybody can upload the data to the server - the source of data is usually CDs with the cath data. the origin of the CDs can be from various sources - i.e. not only from our hospital.
  2. Only the person who uploads the data should be able to delete it - i.e. the series uploaded by a faculty should be deletable by him only.

as per https://book.orthanc-server.com/faq/improving-interface.html it appears it might not be possible to implement the above requirements, but I feel that with the Lua scripts and using the Orthanc REST API is might be. My thought process went as follows -

1 - each user has a separate userid and each user logs into Orthanc server using his/her userid and password.

2 - while storing the ‘patient’ data (which is usually in the form of CDs) to the Orthanc database (Upload), the username of the user is stored in one of the tags of Orthanc database. (I chose the ‘StationName’ tag to be modified to the userid - https://groups.google.com/d/msg/orthanc-users/m1rJ1OYIlV8/tvJWbX2gBAAJ)).

3 - when one clicks delete patient - a check is required e.g. by using a Lua script with function IncomingHttpRequestFilter. In it if the method is 'DELETE" one needs to execute a ‘curl’ command (probably using os.execute() commandingly Lua) to read data pertaining to the patient being deleted.

I have been trying various ways to execute this - one of them if as under

function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders, tags)
local loc=“~/Orthanc/creds/call_curl” … uri

os.execute(‘curl --netrc-file ~Orthanc/creds/creds “{loc}” -o ~/Orthanc/creds/temp’)

but so far have not got it right. If I use
os.execute(‘curl -u : “”’ -o file_name)
the execution just hangs and I have to press ctrl-C multiple times to get out of the block.

If above succeeds, one needs to read the file where the output is stored (probably with file.read in Lua) and somehow extract the study id. Using the study id another curl to ultimately find a series id. Using the series id, a curl command will store the details of the series in a file from which the ‘StationName’ can be extracted.

4 - If the ‘username’ (passed to the IncomingHttpRequestFilter) and the StationName are same then DELETE method is allowed else it is not (i.e ‘return true’ if username and StationName are equal).

Problems -
There is a Delete button for Patient, Study, Series and each instance. We need a check for these - It can be a check for presence of sequence ‘patients’ in the ‘uri’ passed to the function and returning false for everything but ‘patients’. (as I am interested in deleting the whole patient).

I am struck at executing curl command. Hope I am not going on a wild goose chase.

I am a surgeon by profession, so might have done a lot of mistakes in the above text technically. Hope I was able to explain my thought properly and hope something can work out less of writing a new interface for Orthanc.

Well, this code is clearly problematic:

function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders, tags)
local loc=“~/Orthanc/creds/call_curl” … uri

os.execute(‘curl --netrc-file ~Orthanc/creds/creds “{loc}” -o ~/Orthanc/creds/temp’)

During the execution of this lua script, Orthanc is actually not able to receive any other REST requests so it will never respond to curl…

You should actually use the lua builtin methods to access the Orthanc Rest API directly "from inside Orthanc).

That would probably look like:

function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)

if username == ‘admin’ then – admin user can do anything
return true
elseif method == ‘DELETE’ and string.match(uri, ‘/patients/’) then
local patientInfo = ParseJson(RestApiGet(uri))

print(‘user ’ … username …’ is trying to delete PatientID: ’ … patientInfo[“MainDicomTags”][“PatientID”])

– todo: return true/false according to your criteria …

return false
elseif method == ‘DELETE’ then – forbid all other deletes
return false
else – everything else is allowed
return true