From 626c6f855cf266badaf9a0c785865500387e6609 Mon Sep 17 00:00:00 2001 From: Jason Roberts Date: Fri, 24 Sep 2021 14:57:05 -0400 Subject: [PATCH] handle queries on bare ids without explicit types --- .../auth/SearchNarrowingInterceptor.java | 9 ++++++++- .../auth/SearchNarrowingInterceptorTest.java | 20 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptor.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptor.java index 7295f483f72..30f0b79f0fb 100644 --- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptor.java +++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptor.java @@ -151,12 +151,19 @@ public class SearchNarrowingInterceptor { * requested, and the values that the user is allowed to see */ String[] existingValues = newParameters.get(nextParamName); + List nextAllowedValueIds = nextAllowedValues + .stream() + .map(t -> t.lastIndexOf("/") > -1 ? t.substring(t.lastIndexOf("/") + 1) : t) + .collect(Collectors.toList()); boolean restrictedExistingList = false; for (int i = 0; i < existingValues.length; i++) { String nextExistingValue = existingValues[i]; List nextRequestedValues = QualifiedParamList.splitQueryStringByCommasIgnoreEscape(null, nextExistingValue); - List nextPermittedValues = ListUtils.intersection(nextRequestedValues, nextAllowedValues); + List nextPermittedValues = ListUtils.union( + ListUtils.intersection(nextRequestedValues, nextAllowedValues), + ListUtils.intersection(nextRequestedValues, nextAllowedValueIds) + ); if (nextPermittedValues.size() > 0) { restrictedExistingList = true; existingValues[i] = ParameterUtil.escapeAndJoinOrList(nextPermittedValues); diff --git a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptorTest.java b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptorTest.java index f66de116829..4a5e480c52c 100644 --- a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptorTest.java +++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptorTest.java @@ -224,6 +224,26 @@ public class SearchNarrowingInterceptorTest { assertThat(toStrings(ourLastPatientParam), Matchers.contains("Patient/456", "Patient/456")); } + @Test + public void testNarrowObservationsByPatientContext_ClientRequestedSomeOverlap_ShortIds() { + + ourNextCompartmentList = new AuthorizedList().addCompartments("Patient/123", "Patient/456"); + + ourClient + .search() + .forResource("Observation") + .where(Observation.PATIENT.hasAnyOfIds("456", "777")) + .and(Observation.PATIENT.hasAnyOfIds("456", "888")) + .execute(); + + assertEquals("Observation.search", ourLastHitMethod); + assertNull(ourLastIdParam); + assertNull(ourLastCodeParam); + assertNull(ourLastSubjectParam); + assertNull(ourLastPerformerParam); + assertThat(toStrings(ourLastPatientParam), Matchers.contains("456", "456")); + } + @Test public void testNarrowObservationsByPatientContext_ClientRequestedSomeOverlap_UseSynonym() {