diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java index 11232a081db..500a19d11a6 100644 --- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java +++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java @@ -593,7 +593,8 @@ public class AuthorizationInterceptor implements IRuleApplier { } @Nonnull - public static List toListOfResourcesAndExcludeContainer(IBaseResource theResponseObject, FhirContext fhirContext) { + public static List toListOfResourcesAndExcludeContainer( + IBaseResource theResponseObject, FhirContext fhirContext) { List retVal; retVal = fhirContext.newTerser().getAllPopulatedChildElementsOfType(theResponseObject, IBaseResource.class); diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/OperationRule.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/OperationRule.java index 73dec1baf2b..e45185fb4ec 100644 --- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/OperationRule.java +++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/OperationRule.java @@ -98,14 +98,6 @@ class OperationRule extends BaseRule implements IAuthRule { Pointcut thePointcut) { FhirContext ctx = theRequestDetails.getServer().getFhirContext(); - // Operation rules apply to the execution of the operation itself, not to side effects like - // loading resources (that will presumably be reflected in the response). Those loads need - // to be explicitly authorized - if (!myAllowAllResourcesAccess && isResourceAccess(thePointcut)) { -// return null; - // FIXME: remove - } - boolean applies = false; switch (theOperation) { case EXTENDED_OPERATION_SERVER: @@ -174,26 +166,28 @@ class OperationRule extends BaseRule implements IAuthRule { if (theOutputResource == null) { // This is the request part return newVerdict( - theOperation, - theRequestDetails, - theInputResource, - theInputResourceId, - theOutputResource, - theRuleApplier); - } else { - // This is the response part, so we might want to check all of the - // resources in the response - if (myAllowAllResponses) { - return newVerdict( theOperation, theRequestDetails, theInputResource, theInputResourceId, theOutputResource, theRuleApplier); + } else { + // This is the response part, so we might want to check all of the + // resources in the response + if (myAllowAllResponses) { + return newVerdict( + theOperation, + theRequestDetails, + theInputResource, + theInputResourceId, + theOutputResource, + theRuleApplier); } else { - List outputResources = AuthorizationInterceptor.toListOfResourcesAndExcludeContainer( theOutputResource, theRequestDetails.getFhirContext()); - return RuleImplOp.applyRulesToResponseResources(theRequestDetails, theRuleApplier, thePointcut, outputResources); + List outputResources = AuthorizationInterceptor.toListOfResourcesAndExcludeContainer( + theOutputResource, theRequestDetails.getFhirContext()); + return RuleImplOp.applyRulesToResponseResources( + theRequestDetails, theRuleApplier, thePointcut, outputResources); } } } diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java index c391f52ddfa..8716208018a 100644 --- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java +++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java @@ -835,14 +835,23 @@ class RuleImplOp extends BaseRule /* implements IAuthRule */ { } @Nullable - private static Verdict applyRulesToResponseBundle(RequestDetails theRequestDetails, IBaseResource theOutputResource, IRuleApplier theRuleApplier, Pointcut thePointcut) { - List outputResources = AuthorizationInterceptor.toListOfResourcesAndExcludeContainerUnlessStandalone( - theOutputResource, theRequestDetails.getFhirContext()); + private static Verdict applyRulesToResponseBundle( + RequestDetails theRequestDetails, + IBaseResource theOutputResource, + IRuleApplier theRuleApplier, + Pointcut thePointcut) { + List outputResources = + AuthorizationInterceptor.toListOfResourcesAndExcludeContainerUnlessStandalone( + theOutputResource, theRequestDetails.getFhirContext()); return applyRulesToResponseResources(theRequestDetails, theRuleApplier, thePointcut, outputResources); } @Nullable - public static Verdict applyRulesToResponseResources(RequestDetails theRequestDetails, IRuleApplier theRuleApplier, Pointcut thePointcut, List outputResources) { + public static Verdict applyRulesToResponseResources( + RequestDetails theRequestDetails, + IRuleApplier theRuleApplier, + Pointcut thePointcut, + List outputResources) { Verdict verdict = null; for (IBaseResource nextResource : outputResources) { if (nextResource == null) {