Merge pull request #756 from alvinleonard/751-fix-deletebyurl

Fix deleteByUrl to respect InCompartment Authorization
2017-11-22 19:19:32 -05:00 · 2017-11-22 19:19:32 -05:00 · 3aebfb575a
parent 5a8e88200b 2114dd7706
commit 3aebfb575a
2 changed files with 7 additions and 2 deletions
--- a/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java
+++ b/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java
@ -256,6 +256,7 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
 			ResourceTable entity = myEntityManager.find(ResourceTable.class, pid);
 			deletedResources.add(entity);
 			T resourceToDelete = toResource(myResourceType, entity, false);
 			validateOkToDelete(deleteConflicts, entity);
 			// Notify interceptors
@ -268,9 +269,9 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
 			// Perform delete
 			Date updateTime = new Date();
 			updateEntity(null, entity, updateTime, updateTime);
 	        resourceToDelete.setId(entity.getIdDt());
 			// Notify JPA interceptors
 			T resourceToDelete = toResource(myResourceType, entity, false);
 			if (theRequestDetails != null) {
 				theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete);
 				ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, idToDelete.getResourceType(), idToDelete);
--- a/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java
+++ b/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java
@ -84,7 +84,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
 	/**
-	 * See #503
+	 * See #503 #751
 	 */
 	@Test
 	public void testDeleteIsAllowedForCompartment() {
@ -99,6 +99,9 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
 		obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless());
 		IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
 		// create a 2nd observation to be deleted by url Observation?patient=id
        ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
 		Observation obsNotInCompartment = new Observation();
 		obsNotInCompartment.setStatus(ObservationStatus.FINAL);
 		IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless();
@ -115,6 +118,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
 		});
 		ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute();
 		ourClient.delete().resourceConditionalByUrl("Observation?patient=" + id.toUnqualifiedVersionless()).execute();
 		try {
 			ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute();