From 6551eb0a4eb5d640d81abdf2439dea24a3047b15 Mon Sep 17 00:00:00 2001 From: Alvin Leonard Date: Wed, 11 Oct 2017 13:40:03 +1100 Subject: [PATCH] Fix deleteByUrl to respect InCompartment Authorization Moved the assignment of the resource to delete before the actual delete as it will be used by the authorization to determine if this resource is in the compartment. --- .../java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java | 2 +- .../AuthorizationInterceptorResourceProviderDstu3Test.java | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java b/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java index 2c483a06092..46357a02595 100644 --- a/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java +++ b/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java @@ -255,6 +255,7 @@ public abstract class BaseHapiFhirResourceDao extends B deletedResources.add(entity); validateOkToDelete(deleteConflicts, entity); + T resourceToDelete = toResource(myResourceType, entity, false); // Notify interceptors IdDt idToDelete = entity.getIdDt(); @@ -268,7 +269,6 @@ public abstract class BaseHapiFhirResourceDao extends B updateEntity(null, entity, updateTime, updateTime); // Notify JPA interceptors - T resourceToDelete = toResource(myResourceType, entity, false); if (theRequestDetails != null) { theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete); ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, idToDelete.getResourceType(), idToDelete); diff --git a/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java b/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java index cddc9ccd802..48c68698726 100644 --- a/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java +++ b/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java @@ -84,7 +84,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou /** - * See #503 + * See #503 #751 */ @Test public void testDeleteIsAllowedForCompartment() { @@ -99,6 +99,9 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless()); IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless(); + // create a 2nd observation to be deleted by url Observation?patient=id + ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless(); + Observation obsNotInCompartment = new Observation(); obsNotInCompartment.setStatus(ObservationStatus.FINAL); IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless(); @@ -115,6 +118,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou }); ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute(); + ourClient.delete().resourceConditionalByUrl("Observation?patient=" + id.toUnqualifiedVersionless()).execute(); try { ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute();