Check for ALL permissions as well as PATCH.

hapi-fhir-jpaserver-test-r4/src/test/java/ca/uhn/fhir/jpa/provider/r4/AuthorizationInterceptorJpaR4Test.java

@@ -1919,6 +1919,7 @@ public class AuthorizationInterceptorJpaR4Test extends BaseResourceProviderR4Tes
 			return new RuleBuilder()
 				.allow().transaction().withAnyOperation().andApplyNormalRules().andThen()
 				.allow().write().allResources().withAnyId().andThen()
+				.allow().patch().allRequests().andThen()
 				.build();
 		}
 	}

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java

@@ -174,17 +174,19 @@ public class AuthorizationInterceptor implements IRuleApplier {
 				getResourceTypeOrEmpty(theInputResource),
 				getResourceTypeOrEmpty(theOutputResource));
 
-
 		Verdict verdict = null;
 
-		// LUKETODO:  try to just check for FHIR_PATCH if this is a FHIR_PATCH and if it's not there, then return a deny verdict
+		// LUKETODO:  explicitly rule out superuser
 		if (theOperation == RestOperationTypeEnum.PATCH) {
-//			if (rules.stream()
-//				.filter(RuleImplOp.class::isInstance)
-//				.map(RuleImplOp.class::cast)
-//				.noneMatch(rule -> rule.getOp() == RuleOpEnum.PATCH)) {
-			if (rules.stream()
-				.noneMatch(RuleImplPatch.class::isInstance)) {
+			//			if (rules.stream()
+			//				.filter(RuleImplOp.class::isInstance)
+			//				.map(RuleImplOp.class::cast)
+			//				.noneMatch(rule -> rule.getOp() == RuleOpEnum.PATCH)) {
+			if (rules.stream().noneMatch(RuleImplPatch.class::isInstance)
+					&& rules.stream()
+							.filter(RuleImplOp.class::isInstance)
+							.map(RuleImplOp.class::cast)
+							.noneMatch(rule -> rule.getOp() == RuleOpEnum.ALL)) {
 				// LUKETODO:  this results in a 403 but is that what we want?
 				verdict = new Verdict(PolicyEnum.DENY, null);
 			}
@@ -194,14 +196,14 @@ public class AuthorizationInterceptor implements IRuleApplier {
 			for (IAuthRule nextRule : rules) {
 				ourLog.trace("Rule being applied - {}", nextRule);
 				verdict = nextRule.applyRule(
-					theOperation,
-					theRequestDetails,
-					theInputResource,
-					theInputResourceId,
-					theOutputResource,
-					this,
-					flags,
-					thePointcut);
+						theOperation,
+						theRequestDetails,
+						theInputResource,
+						theInputResourceId,
+						theOutputResource,
+						this,
+						flags,
+						thePointcut);
 				if (verdict != null) {
 					ourLog.trace("Rule {} returned decision {}", nextRule, verdict.getDecision());
 					break;

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java

@@ -842,7 +842,7 @@ public class RuleBuilder implements IAuthRuleBuilder {
 				ruleImplOp.setMode(myRuleMode);
 				ruleImplOp.setOp(RuleOpEnum.PATCH);
 				ruleImplOp.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
-//				myRules.add(ruleImplOp);
+				//				myRules.add(ruleImplOp);
 				myRules.add(rule);
 				return new RuleBuilderFinished(ruleImplOp);
 			}

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java

@@ -349,16 +349,16 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ {
 							theRuleApplier);
 				}
 				return null;
-//			case PATCH:
-//				// LUKETODO:  ?
-//				// LUKETODO:  do we need applies to types to correspond to
-//				target.resource = null;
-//				if (theInputResourceId != null) {
-//					target.resourceIds = Collections.singletonList(theInputResourceId);
-//				} else {
-//					return null;
-//				}
-//				break;
+				//			case PATCH:
+				//				// LUKETODO:  ?
+				//				// LUKETODO:  do we need applies to types to correspond to
+				//				target.resource = null;
+				//				if (theInputResourceId != null) {
+				//					target.resourceIds = Collections.singletonList(theInputResourceId);
+				//				} else {
+				//					return null;
+				//				}
+				//				break;
 			default:
 				// Should not happen
 				throw new IllegalStateException(