AuthorizationInterceptor no longer works on response of $document operation #6258
Comments
|
If you specify |
|
Yes I add these rules for the Composition resource and for all resources referenced from that Composition. Sorry if that wasn't clear from the description. |
|
Could you create a unit test on |
|
I'm trying to reproduce it in a unit test, but it behaves slightly different. In the test I'll do some more digging next week. |
|
If I understand correctly, the |
|
Ah ok - you may need to implement this in |
|
Ah yes, of course. I updated my branch: master...gijsbert802:hapi-fhir:6258-AuthorizationInterceptor-no-longer-works-on-response-of-$document-operation This test passes on v7.2.x, but fails on v7.4.x and on master. |
|
That's a great test, short and to the point! Will give it a try. |
Describe the bug
Starting with HAPI 7.4.0, the AuthorizationInterceptor seem to apply it's rules to the Bundle resource created by a $document operation instead of the resources contained in the response Bundle.
I believe this may be a regression caused by Fix authorization handling for Bundle resources in the output #5953 (@codeforgreen)
I don't quite understand how it works, but
AuthorizationInterceptor#shouldExamineBundleChildResourcesnow returns false when the resource is not an instance ofIBaseParametersorIBaseBundle. Previously, it returned true in the case of a $document operation onComposition.To Reproduce
I use these rules:
ruleBuilder .allow().operation().named("\$document").onInstance(resourceIdType).andRequireExplicitResponseAuthorization().andThen() .allow().read().instance(resourceIdType) .build()Expected behavior
I expect the rules to be applied to the resources contained in the response Bundle, not to the Bundle itself.
Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: