From 39ae66de16d22c71626ba51e784089789b236fbc Mon Sep 17 00:00:00 2001
From: Jason Roberts <jason.roberts@smilecdr.com>
Date: Tue, 28 Sep 2021 08:35:04 -0400
Subject: [PATCH] Add tests for invalid inputs

---
 .../auth/SearchNarrowingInterceptorTest.java  | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptorTest.java b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptorTest.java
index ed55c1394b6..e3b76672911 100644
--- a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptorTest.java
+++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptorTest.java
@@ -306,6 +306,46 @@ public class SearchNarrowingInterceptorTest {
 		assertNull(ourLastHitMethod);
 	}
 
+	@Test
+	public void testNarrowObservationsByPatientContext_ClientRequestedBadParameter() {
+
+		ourNextCompartmentList = new AuthorizedList().addCompartments("Patient/123", "Patient/456");
+
+		try {
+			ourClient
+				.search()
+				.forResource("Observation")
+				.where(Observation.PATIENT.hasAnyOfIds("Patient/"))
+				.execute();
+
+			fail("Expected a 403 error");
+		} catch (ForbiddenOperationException e) {
+			assertEquals(Constants.STATUS_HTTP_403_FORBIDDEN, e.getStatusCode());
+		}
+
+		assertNull(ourLastHitMethod);
+	}
+
+	@Test
+	public void testNarrowObservationsByPatientContext_ClientRequestedBadPermission() {
+
+		ourNextCompartmentList = new AuthorizedList().addCompartments("Patient/");
+
+		try {
+			ourClient
+				.search()
+				.forResource("Observation")
+				.where(Observation.PATIENT.hasAnyOfIds("Patient/111", "Patient/777"))
+				.execute();
+
+			fail("Expected a 403 error");
+		} catch (ForbiddenOperationException e) {
+			assertEquals(Constants.STATUS_HTTP_403_FORBIDDEN, e.getStatusCode());
+		}
+
+		assertNull(ourLastHitMethod);
+	}
+
 	private List<String> toStrings(BaseAndListParam<? extends IQueryParameterOr<?>> theParams) {
 		List<? extends IQueryParameterOr<? extends IQueryParameterType>> valuesAsQueryTokens = theParams.getValuesAsQueryTokens();