-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4941 performing javascript reject operation during consent validation does not return 403 #4951
base: master
Are you sure you want to change the base?
Conversation
…n-during-consent-validation-does-not-return-403
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## master #4951 +/- ##
============================================
+ Coverage 81.32% 83.16% +1.83%
- Complexity 23650 25558 +1908
============================================
Files 1425 1557 +132
Lines 86399 93239 +6840
Branches 11677 12423 +746
============================================
+ Hits 70265 77541 +7276
+ Misses 10947 10232 -715
- Partials 5187 5466 +279 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and u'll need a changelog.
@@ -58,6 +58,7 @@ public ConsentOutcome canSeeResource(RequestDetails theRequestDetails, IBaseReso | |||
Observation obs = (Observation)theResource; | |||
if (obs.getCategoryFirstRep().hasCoding("http:https://hl7.org/fhir/codesystem-observation-category.html", "laboratory")) { | |||
return ConsentOutcome.REJECT; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove commented code.
instead, add to the documentation (line 54-56):
A real interceptor might do something more nuance or entirely forbid the operation by returning ConsentOutcome.FORBID;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
...hir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/consent/ConsentInterceptor.java
Outdated
Show resolved
Hide resolved
...hir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/consent/ConsentInterceptor.java
Show resolved
Hide resolved
...-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/ConsentInterceptorTest.java
Show resolved
Hide resolved
* The requested operation cannot proceed, and an operation outcome suitable for | ||
* the user is available | ||
*/ | ||
FORBID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dont' understand what this change is for. How is FORBID different from REJECT? It has identical javadocs which suggests that it is the same. If it's not the same, the javadocs need to be updated to reflect exactly when someone would use one vs the other, and the actual documentation on hapifhir.io/hapi-fhir/docs should also be updated to make this clear. Also Unit Tests should be added that exercize the differences.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The intend behind adding the FORBID operation outcome is to permit a client to specify that the server should return 403 from any of the consent service javascript callback as REJECT will only trigger a 403 from 'consentStartOperation'.
Comment and documentation will be updated.
What was done: