Convert a few nulls to aggressive denies

2024-05-08 20:03:46 -07:00 · 2024-05-08 20:03:46 -07:00 · 9021e7e765
parent 7a461df2db
commit 9021e7e765
2 changed files with 15 additions and 9 deletions
--- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBulkExportImpl.java
+++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBulkExportImpl.java
@ -80,10 +80,10 @@ public class RuleBulkExportImpl extends BaseRule {
 		// Do we only authorize some types?  If so, make sure requested types are a subset
 		if (isNotEmpty(myResourceTypes)) {
 			if (isEmpty(inboundBulkExportRequestOptions.getResourceTypes())) {
-				return null;
+				return new AuthorizationInterceptor.Verdict(PolicyEnum.DENY, this);
 			}
 			if (!myResourceTypes.containsAll(inboundBulkExportRequestOptions.getResourceTypes())) {
-				return null;
+				return new AuthorizationInterceptor.Verdict(PolicyEnum.DENY, this);
 			}
 		}
@ -136,8 +136,9 @@ public class RuleBulkExportImpl extends BaseRule {
 				Set<String> permittedPatientIds = sanitizeIds(myPatientIds);
 				if (permittedPatientIds.containsAll(requestedPatientIds)) {
 					return allowVerdict;
 				} else {
 					return new AuthorizationInterceptor.Verdict(PolicyEnum.DENY, this);
 				}
 				return null;
 			}
 		}
 		return null;
--- a/hapi-fhir-server/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBulkExportImplTest.java
+++ b/hapi-fhir-server/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBulkExportImplTest.java
@ -49,7 +49,7 @@ public class RuleBulkExportImplTest {
 		when(myRequestDetails.getAttribute(any())).thenReturn(options);
 		AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
-		assertAbstain(verdict);
+		assertDeny(verdict);
 	}
@ -68,7 +68,7 @@ public class RuleBulkExportImplTest {
 		when(myRequestDetails.getAttribute(any())).thenReturn(options);
 		AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
-		assertAbstain(verdict);
+		assertDeny(verdict);
 	}
 	@Test
@ -106,7 +106,7 @@ public class RuleBulkExportImplTest {
 		AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
-		assertAbstain(verdict);
+		assertDeny(verdict);
 	}
 	@Nested
 	class StyleChecks {
@ -316,7 +316,7 @@ public class RuleBulkExportImplTest {
 		AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
 		//Then: abstain
-		assertAbstain(verdict);
+		assertDeny(verdict);
 	}
 	@Test
@ -426,7 +426,7 @@ public class RuleBulkExportImplTest {
 		final AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
 		//Then: We do not have permissions on the requested patient so we abstain
-		assertAbstain(verdict);
+		assertDeny(verdict);
 	}
 	@Test
@ -484,7 +484,7 @@ public class RuleBulkExportImplTest {
 		final AuthorizationInterceptor.Verdict verdict = myRule.applyRule(myOperation, myRequestDetails, null, null, null, myRuleApplier, myFlags, myPointcut);
 		//Then: There are unpermitted patients in the request so this is not permitted.
-		assertAbstain(verdict);
+		assertDeny(verdict);
 	}  //
 	@Test
@ -567,4 +567,9 @@ public class RuleBulkExportImplTest {
 		Assertions.assertNotNull(verdict, "Expect ALLOW, got abstain");
 		Assertions.assertEquals(PolicyEnum.ALLOW, verdict.getDecision(), "Expect ALLOW");
 	}
 	private static void assertDeny(AuthorizationInterceptor.Verdict verdict) {
 		Assertions.assertNotNull(verdict, "Expect DENY, got abstain");
 		Assertions.assertEquals(PolicyEnum.DENY, verdict.getDecision(), "Expect DENY");
 	}
 }