Allow transactions and batches with transaction permission in

AuthorizationInterceptor

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRule.java

@@ -83,7 +83,8 @@ public interface IAuthRuleBuilderRule {
 
 	/**
 	 * This rule applies to the FHIR transaction operation. Transaction is a special
-	 * case in that it bundles other operations
+	 * case in that it bundles other operations. This permission also allows FHIR
+	 * batch to be performed.
 	 */
 	IAuthRuleBuilderRuleTransaction transaction();
 

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java

@@ -223,7 +223,6 @@ public class RuleBuilder implements IAuthRuleBuilder {
 
 		@Override
 		public IAuthRuleBuilderRuleTransaction transaction() {
-			myRuleOp = RuleOpEnum.TRANSACTION;
 			return new RuleBuilderRuleTransaction();
 		}
 
@@ -520,11 +519,20 @@ public class RuleBuilder implements IAuthRuleBuilder {
 
 				@Override
 				public IAuthRuleBuilderRuleOpClassifierFinished andApplyNormalRules() {
+					// Allow transaction
 					RuleImplOp rule = new RuleImplOp(myRuleName);
 					rule.setMode(myRuleMode);
-					rule.setOp(myRuleOp);
+					rule.setOp(RuleOpEnum.TRANSACTION);
 					rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
 					myRules.add(rule);
+
+					// Allow batch
+					rule = new RuleImplOp(myRuleName);
+					rule.setMode(myRuleMode);
+					rule.setOp(RuleOpEnum.BATCH);
+					rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
+					myRules.add(rule);
+
 					return new RuleBuilderFinished(rule);
 				}
 

hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java

@@ -262,7 +262,7 @@ public class AuthorizationInterceptorDstu2Test {
 		httpPost.setEntity(createFhirResourceEntity(input));
 		status = ourClient.execute(httpPost);
 		extractResponseAndClose(status);
-		assertEquals(403, status.getStatusLine().getStatusCode());
+		assertEquals(200, status.getStatusLine().getStatusCode());
 	}
 
 	@Test

hapi-fhir-structures-dstu3/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorDstu3Test.java

@@ -495,7 +495,7 @@ public class AuthorizationInterceptorDstu3Test {
 		httpPost.setEntity(createFhirResourceEntity(input));
 		status = ourClient.execute(httpPost);
 		extractResponseAndClose(status);
-		assertEquals(403, status.getStatusLine().getStatusCode());
+		assertEquals(200, status.getStatusLine().getStatusCode());
 	}
 
 	@Test

hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java

@@ -469,7 +469,7 @@ public class AuthorizationInterceptorR4Test {
 	}
 
 	@Test
-	public void testBatchWhenOnlyTransactionAllowed() throws Exception {
+	public void testBatchAllowed() throws Exception {
 		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
 			@Override
 			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
@@ -498,7 +498,7 @@ public class AuthorizationInterceptorR4Test {
 		httpPost.setEntity(createFhirResourceEntity(input));
 		status = ourClient.execute(httpPost);
 		extractResponseAndClose(status);
-		assertEquals(403, status.getStatusLine().getStatusCode());
+		assertEquals(200, status.getStatusLine().getStatusCode());
 	}
 
 	@Test

src/changes/changes.xml

@@ -95,6 +95,11 @@
 				When using the testpage overlay to delete a resource, currently a crash can occur
 				if an unqualified ID is placed in the ID text box. This has been corrected.
 			</action>
+			<action type="fix">
+				AuthorizationInterceptor did not allow FHIR batch operations when the transaction() 
+				permission is granted. This has been corrected so that transaction() allows both
+				batch and transaction requests to proceed.
+			</action>
 		</release>
 
 		<release version="3.5.0" date="2018-09-17">