Fix deleteByUrl to respect InCompartment Authorization

Moved the assignment of the resource to delete before the actual delete as it will be used by the authorization to determine if this resource is in the compartment.
This commit is contained in:
Alvin Leonard 2017-10-11 13:40:03 +11:00
parent 432c511a30
commit 6551eb0a4e
2 changed files with 6 additions and 2 deletions

View File

@ -255,6 +255,7 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
deletedResources.add(entity); deletedResources.add(entity);
validateOkToDelete(deleteConflicts, entity); validateOkToDelete(deleteConflicts, entity);
T resourceToDelete = toResource(myResourceType, entity, false);
// Notify interceptors // Notify interceptors
IdDt idToDelete = entity.getIdDt(); IdDt idToDelete = entity.getIdDt();
@ -268,7 +269,6 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
updateEntity(null, entity, updateTime, updateTime); updateEntity(null, entity, updateTime, updateTime);
// Notify JPA interceptors // Notify JPA interceptors
T resourceToDelete = toResource(myResourceType, entity, false);
if (theRequestDetails != null) { if (theRequestDetails != null) {
theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete); theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete);
ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, idToDelete.getResourceType(), idToDelete); ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, idToDelete.getResourceType(), idToDelete);

View File

@ -84,7 +84,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
/** /**
* See #503 * See #503 #751
*/ */
@Test @Test
public void testDeleteIsAllowedForCompartment() { public void testDeleteIsAllowedForCompartment() {
@ -99,6 +99,9 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless()); obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless());
IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless(); IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
// create a 2nd observation to be deleted by url Observation?patient=id
ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
Observation obsNotInCompartment = new Observation(); Observation obsNotInCompartment = new Observation();
obsNotInCompartment.setStatus(ObservationStatus.FINAL); obsNotInCompartment.setStatus(ObservationStatus.FINAL);
IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless(); IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless();
@ -115,6 +118,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
}); });
ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute(); ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute();
ourClient.delete().resourceConditionalByUrl("Observation?patient=" + id.toUnqualifiedVersionless()).execute();
try { try {
ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute(); ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute();