honeymoose
/
hapi-fhir
mirror of https://github.com/hapifhir/hapi-fhir.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix #503 - Checking authorization again patient compartment fails with delete operation

This commit is contained in:
James Agnew 2017-01-13 11:06:00 -05:00
parent af32c4b7e9
commit 37c40c4f9e
3 changed files with 85 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java
View File

@ -183,6 +183,8 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
throw new ResourceVersionConflictException("Trying to delete " + theId + " but this is not the current version"); throw new ResourceVersionConflictException("Trying to delete " + theId + " but this is not the current version");
} }
T resourceToDelete = toResource(myResourceType, entity, false);
validateOkToDelete(deleteConflicts, entity); validateOkToDelete(deleteConflicts, entity);
// Notify interceptors // Notify interceptors
@ -197,7 +199,6 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
// Notify JPA interceptors // Notify JPA interceptors
if (theRequestDetails != null) { if (theRequestDetails != null) {
ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, getContext(), theId.getResourceType(), theId); ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, getContext(), theId.getResourceType(), theId);
T resourceToDelete = toResource(myResourceType, entity, false);
theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete); theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete);
for (IServerInterceptor next : getConfig().getInterceptors()) { for (IServerInterceptor next : getConfig().getInterceptors()) {
if (next instanceof IJpaServerInterceptor) { if (next instanceof IJpaServerInterceptor) {

76
hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java
View File

@ -15,7 +15,10 @@ import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ContentType; import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity; import org.apache.http.entity.StringEntity;
import org.hl7.fhir.dstu3.model.IdType; import org.hl7.fhir.dstu3.model.IdType;
import org.hl7.fhir.dstu3.model.Observation;
import org.hl7.fhir.dstu3.model.Observation.ObservationStatus;
import org.hl7.fhir.dstu3.model.Patient; import org.hl7.fhir.dstu3.model.Patient;
import org.hl7.fhir.instance.model.api.IIdType;
import org.junit.AfterClass; import org.junit.AfterClass;
import org.junit.Test; import org.junit.Test;
@ -55,6 +58,79 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
} }
} }
/**
* See #503
*/
@Test
public void testDeleteIsBlocked() {
ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
return new RuleBuilder()
.deny().delete().allResources().withAnyId().andThen()
.allowAll()
.build();
}
});
Patient patient = new Patient();
patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
patient.addName().setFamily("Tester").addGiven("Raghad");
IIdType id = ourClient.create().resource(patient).execute().getId();
try {
ourClient.delete().resourceById(id.toUnqualifiedVersionless()).execute();
fail();
} catch (ForbiddenOperationException e) {
// good
}
patient = ourClient.read().resource(Patient.class).withId(id.toUnqualifiedVersionless()).execute();
assertEquals(id.getValue(), patient.getId());
}
/**
* See #503
*/
@Test
public void testDeleteIsAllowedForCompartment() {
Patient patient = new Patient();
patient.addIdentifier().setSystem("http://uhn.ca/mrns").setValue("100");
patient.addName().setFamily("Tester").addGiven("Raghad");
final IIdType id = ourClient.create().resource(patient).execute().getId();
Observation obsInCompartment = new Observation();
obsInCompartment.setStatus(ObservationStatus.FINAL);
obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless());
IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
Observation obsNotInCompartment = new Observation();
obsNotInCompartment.setStatus(ObservationStatus.FINAL);
IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless();
ourRestServer.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
@Override
public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
return new RuleBuilder()
.allow().delete().resourcesOfType(Observation.class).inCompartment("Patient", id).andThen()
.deny().delete().allResources().withAnyId().andThen()
.allowAll()
.build();
}
});
ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute();
try {
ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute();
fail();
} catch (ForbiddenOperationException e) {
// good
}
}
@Test @Test
public void testCreateConditional() { public void testCreateConditional() {

7
src/changes/changes.xml
View File

@ -185,6 +185,13 @@
framework was not actually useful. Thanks to GitHub user framework was not actually useful. Thanks to GitHub user
@mattiuusitalo for reporting! @mattiuusitalo for reporting!
</action> </action>
<action type="fix" issue="503">
AuthorizationInterceptor on JPA server did not correctly
apply rules on deleting resources in a specific compartment
because the resource metadata was stripped by the JPA server
before the interceptor could see it. Thanks to
GitHub user @eevaturkka for reporting!
</action>
</release> </release>
<release version="2.1" date="2016-11-11"> <release version="2.1" date="2016-11-11">
<action type="add"> <action type="add">