diff --git a/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/r4/AuthorizationInterceptorResourceProviderR4Test.java b/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/r4/AuthorizationInterceptorResourceProviderR4Test.java index 962409f2309..0e87ed5be21 100644 --- a/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/r4/AuthorizationInterceptorResourceProviderR4Test.java +++ b/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/r4/AuthorizationInterceptorResourceProviderR4Test.java @@ -102,7 +102,7 @@ public class AuthorizationInterceptorResourceProviderR4Test extends BaseResource } @Test - public void testCreateConditional() { + public void testUpdateConditional() { Patient patient = new Patient(); patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100"); @@ -150,6 +150,68 @@ public class AuthorizationInterceptorResourceProviderR4Test extends BaseResource } + @Test + public void testCreateConditionalViaTransaction() { + ourRestServer.getInterceptorService().registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) { + @Override + public List buildRuleList(RequestDetails theRequestDetails) { + return new RuleBuilder() + .allow().createConditional().resourcesOfType("Patient").andThen() + .build(); + } + }); + + // Create a patient (allowed) + { + Patient patient = new Patient(); + patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100"); + patient.addName().setFamily("Tester").addGiven("Raghad"); + + Bundle request = new Bundle(); + request.setType(Bundle.BundleType.TRANSACTION); + request.addEntry() + .setResource(patient) + .getRequest() + .setMethod(Bundle.HTTPVerb.POST) + .setIfNoneExist("Patient?identifier=http://uhn.ca/mrns|100"); + Bundle response = ourClient.transaction().withBundle(request).execute(); + ourLog.info(myFhirCtx.newJsonParser().setPrettyPrint(true).encodeResourceToString(response)); + + try { + ourClient.update().resource(patient).execute(); + fail(); + } catch (ForbiddenOperationException e) { + assertEquals("HTTP 403 Forbidden: Access denied by default policy (no applicable rules)", e.getMessage()); + } + } + + // Create a patient (blocked) + { + Patient patient = new Patient(); + patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100"); + patient.addName().setFamily("Tester").addGiven("Raghad"); + + Bundle request = new Bundle(); + request.setType(Bundle.BundleType.TRANSACTION); + request.addEntry() + .setResource(patient) + .getRequest() + .setMethod(Bundle.HTTPVerb.POST) + .setIfNoneExist("Patient?identifier=http://uhn.ca/mrns|100"); + Bundle response = ourClient.transaction().withBundle(request).execute(); + ourLog.info(myFhirCtx.newJsonParser().setPrettyPrint(true).encodeResourceToString(response)); + + try { + ourClient.update().resource(patient).execute(); + fail(); + } catch (ForbiddenOperationException e) { + assertEquals("HTTP 403 Forbidden: Access denied by default policy (no applicable rules)", e.getMessage()); + } + } + + } + + @Test public void testReadInTransaction() { diff --git a/hapi-fhir-structures-dstu2.1/src/main/java/org/hl7/fhir/dstu2016may/hapi/rest/server/Dstu2_1BundleFactory.java b/hapi-fhir-structures-dstu2.1/src/main/java/org/hl7/fhir/dstu2016may/hapi/rest/server/Dstu2_1BundleFactory.java index cf5e7800631..4e9294e2924 100644 --- a/hapi-fhir-structures-dstu2.1/src/main/java/org/hl7/fhir/dstu2016may/hapi/rest/server/Dstu2_1BundleFactory.java +++ b/hapi-fhir-structures-dstu2.1/src/main/java/org/hl7/fhir/dstu2016may/hapi/rest/server/Dstu2_1BundleFactory.java @@ -165,7 +165,7 @@ public class Dstu2_1BundleFactory implements IVersionSpecificBundleFactory { List addedResourcesThisPass = new ArrayList(); for (ResourceReferenceInfo nextRefInfo : references) { - if (!theBundleInclusionRule.shouldIncludeReferencedResource(nextRefInfo, theIncludes)) { + if (theBundleInclusionRule != null && !theBundleInclusionRule.shouldIncludeReferencedResource(nextRefInfo, theIncludes)) { continue; } diff --git a/hapi-fhir-structures-dstu3/src/main/java/org/hl7/fhir/dstu3/hapi/rest/server/Dstu3BundleFactory.java b/hapi-fhir-structures-dstu3/src/main/java/org/hl7/fhir/dstu3/hapi/rest/server/Dstu3BundleFactory.java index 1580395de52..d4f4fb106b0 100644 --- a/hapi-fhir-structures-dstu3/src/main/java/org/hl7/fhir/dstu3/hapi/rest/server/Dstu3BundleFactory.java +++ b/hapi-fhir-structures-dstu3/src/main/java/org/hl7/fhir/dstu3/hapi/rest/server/Dstu3BundleFactory.java @@ -169,7 +169,7 @@ public class Dstu3BundleFactory implements IVersionSpecificBundleFactory { List addedResourcesThisPass = new ArrayList(); for (ResourceReferenceInfo nextRefInfo : references) { - if (!theBundleInclusionRule.shouldIncludeReferencedResource(nextRefInfo, theIncludes)) { + if (theBundleInclusionRule != null && !theBundleInclusionRule.shouldIncludeReferencedResource(nextRefInfo, theIncludes)) { continue; } diff --git a/hapi-fhir-structures-r4/src/main/java/org/hl7/fhir/r4/hapi/rest/server/R4BundleFactory.java b/hapi-fhir-structures-r4/src/main/java/org/hl7/fhir/r4/hapi/rest/server/R4BundleFactory.java index 98a0f7575e9..63aafe2e47e 100644 --- a/hapi-fhir-structures-r4/src/main/java/org/hl7/fhir/r4/hapi/rest/server/R4BundleFactory.java +++ b/hapi-fhir-structures-r4/src/main/java/org/hl7/fhir/r4/hapi/rest/server/R4BundleFactory.java @@ -169,7 +169,7 @@ public class R4BundleFactory implements IVersionSpecificBundleFactory { List addedResourcesThisPass = new ArrayList(); for (ResourceReferenceInfo nextRefInfo : references) { - if (!theBundleInclusionRule.shouldIncludeReferencedResource(nextRefInfo, theIncludes)) { + if (theBundleInclusionRule != null && !theBundleInclusionRule.shouldIncludeReferencedResource(nextRefInfo, theIncludes)) { continue; } diff --git a/hapi-fhir-structures-r5/src/main/java/org/hl7/fhir/r5/hapi/rest/server/R5BundleFactory.java b/hapi-fhir-structures-r5/src/main/java/org/hl7/fhir/r5/hapi/rest/server/R5BundleFactory.java index 938eb5c8365..7e72bcb6bd6 100644 --- a/hapi-fhir-structures-r5/src/main/java/org/hl7/fhir/r5/hapi/rest/server/R5BundleFactory.java +++ b/hapi-fhir-structures-r5/src/main/java/org/hl7/fhir/r5/hapi/rest/server/R5BundleFactory.java @@ -169,7 +169,7 @@ public class R5BundleFactory implements IVersionSpecificBundleFactory { List addedResourcesThisPass = new ArrayList(); for (ResourceReferenceInfo nextRefInfo : references) { - if (!theBundleInclusionRule.shouldIncludeReferencedResource(nextRefInfo, theIncludes)) { + if (theBundleInclusionRule != null && !theBundleInclusionRule.shouldIncludeReferencedResource(nextRefInfo, theIncludes)) { continue; }