Fix deleteByUrl to respect InCompartment Authorization
Moved the assignment of the resource to delete before the actual delete as it will be used by the authorization to determine if this resource is in the compartment.
This commit is contained in:
parent
432c511a30
commit
6551eb0a4e
|
@ -255,6 +255,7 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
|
||||||
deletedResources.add(entity);
|
deletedResources.add(entity);
|
||||||
|
|
||||||
validateOkToDelete(deleteConflicts, entity);
|
validateOkToDelete(deleteConflicts, entity);
|
||||||
|
T resourceToDelete = toResource(myResourceType, entity, false);
|
||||||
|
|
||||||
// Notify interceptors
|
// Notify interceptors
|
||||||
IdDt idToDelete = entity.getIdDt();
|
IdDt idToDelete = entity.getIdDt();
|
||||||
|
@ -268,7 +269,6 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
|
||||||
updateEntity(null, entity, updateTime, updateTime);
|
updateEntity(null, entity, updateTime, updateTime);
|
||||||
|
|
||||||
// Notify JPA interceptors
|
// Notify JPA interceptors
|
||||||
T resourceToDelete = toResource(myResourceType, entity, false);
|
|
||||||
if (theRequestDetails != null) {
|
if (theRequestDetails != null) {
|
||||||
theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete);
|
theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete);
|
||||||
ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, idToDelete.getResourceType(), idToDelete);
|
ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, idToDelete.getResourceType(), idToDelete);
|
||||||
|
|
|
@ -84,7 +84,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* See #503
|
* See #503 #751
|
||||||
*/
|
*/
|
||||||
@Test
|
@Test
|
||||||
public void testDeleteIsAllowedForCompartment() {
|
public void testDeleteIsAllowedForCompartment() {
|
||||||
|
@ -99,6 +99,9 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
|
||||||
obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless());
|
obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless());
|
||||||
IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
|
IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
|
||||||
|
|
||||||
|
// create a 2nd observation to be deleted by url Observation?patient=id
|
||||||
|
ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
|
||||||
|
|
||||||
Observation obsNotInCompartment = new Observation();
|
Observation obsNotInCompartment = new Observation();
|
||||||
obsNotInCompartment.setStatus(ObservationStatus.FINAL);
|
obsNotInCompartment.setStatus(ObservationStatus.FINAL);
|
||||||
IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless();
|
IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless();
|
||||||
|
@ -115,6 +118,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
|
||||||
});
|
});
|
||||||
|
|
||||||
ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute();
|
ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute();
|
||||||
|
ourClient.delete().resourceConditionalByUrl("Observation?patient=" + id.toUnqualifiedVersionless()).execute();
|
||||||
|
|
||||||
try {
|
try {
|
||||||
ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute();
|
ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute();
|
||||||
|
|
Loading…
Reference in New Issue