Fix deleteByUrl to respect InCompartment Authorization

Moved the assignment of the resource to delete before the actual delete as it will be used by the authorization to determine if this resource is in the compartment.
2017-10-11 13:40:03 +11:00 · 2017-10-11 13:40:03 +11:00 · 6551eb0a4e
parent 432c511a30
commit 6551eb0a4e
2 changed files with 6 additions and 2 deletions
--- a/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java
+++ b/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/dao/BaseHapiFhirResourceDao.java
@ -255,6 +255,7 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
 			deletedResources.add(entity);

 			validateOkToDelete(deleteConflicts, entity);
+			T resourceToDelete = toResource(myResourceType, entity, false);

 			// Notify interceptors
 			IdDt idToDelete = entity.getIdDt();
@ -268,7 +269,6 @@ public abstract class BaseHapiFhirResourceDao<T extends IBaseResource> extends B
 			updateEntity(null, entity, updateTime, updateTime);

 			// Notify JPA interceptors
-			T resourceToDelete = toResource(myResourceType, entity, false);
 			if (theRequestDetails != null) {
 				theRequestDetails.getRequestOperationCallback().resourceDeleted(resourceToDelete);
 				ActionRequestDetails requestDetails = new ActionRequestDetails(theRequestDetails, idToDelete.getResourceType(), idToDelete);
--- a/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java
+++ b/hapi-fhir-jpaserver-base/src/test/java/ca/uhn/fhir/jpa/provider/dstu3/AuthorizationInterceptorResourceProviderDstu3Test.java
@ -84,7 +84,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
 	

 	/**
-	 * See #503
+	 * See #503 #751
 	 */
 	@Test
 	public void testDeleteIsAllowedForCompartment() {
@ -99,6 +99,9 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
 		obsInCompartment.getSubject().setReferenceElement(id.toUnqualifiedVersionless());
 		IIdType obsInCompartmentId = ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
 		
+		// create a 2nd observation to be deleted by url Observation?patient=id
+        ourClient.create().resource(obsInCompartment).execute().getId().toUnqualifiedVersionless();
+		
 		Observation obsNotInCompartment = new Observation();
 		obsNotInCompartment.setStatus(ObservationStatus.FINAL);
 		IIdType obsNotInCompartmentId = ourClient.create().resource(obsNotInCompartment).execute().getId().toUnqualifiedVersionless();
@ -115,6 +118,7 @@ public class AuthorizationInterceptorResourceProviderDstu3Test extends BaseResou
 		});
 		
 		ourClient.delete().resourceById(obsInCompartmentId.toUnqualifiedVersionless()).execute();
+		ourClient.delete().resourceConditionalByUrl("Observation?patient=" + id.toUnqualifiedVersionless()).execute();

 		try {
 			ourClient.delete().resourceById(obsNotInCompartmentId.toUnqualifiedVersionless()).execute();