From aff43d79032e94589ec059f165ab3039b2a48ef3 Mon Sep 17 00:00:00 2001 From: Yanyu Zheng Date: Mon, 23 Aug 2021 16:09:36 -0400 Subject: [PATCH] fix: group export permission update (#56) --- src/smartScopeHelper.test.ts | 21 +++++++++++++++++++-- src/smartScopeHelper.ts | 29 +++++++++++++++++++++-------- 2 files changed, 40 insertions(+), 10 deletions(-) diff --git a/src/smartScopeHelper.test.ts b/src/smartScopeHelper.test.ts index d1ba23b..8486d99 100644 --- a/src/smartScopeHelper.test.ts +++ b/src/smartScopeHelper.test.ts @@ -62,7 +62,7 @@ describe.each(isScopeSufficientCases)('%s: isScopeSufficient', (scopeType: Scope ); }); - test('scope is sufficient for bulk data access with "user" || "system" scopeType but not "patient" scopeType', () => { + test('scope is sufficient for system bulk data access with "user" || "system" scopeType but not "patient" scopeType', () => { const clonedScopeRule = emptyScopeRule(); clonedScopeRule[scopeType].read = ['read']; const bulkDataAuth: BulkDataAuth = { operation: 'initiate-export', exportType: 'system' }; @@ -73,7 +73,7 @@ describe.each(isScopeSufficientCases)('%s: isScopeSufficient', (scopeType: Scope ); }); - test('scope is NOT sufficient for bulk data access: Scope needs to have resourceType "*"', () => { + test('scope is NOT sufficient for system bulk data access: Scope needs to have resourceType "*"', () => { const clonedScopeRule = emptyScopeRule(); clonedScopeRule[scopeType].read = ['read']; @@ -82,6 +82,23 @@ describe.each(isScopeSufficientCases)('%s: isScopeSufficient', (scopeType: Scope isScopeSufficient(`${scopeType}/Observation.read`, clonedScopeRule, 'read', undefined, bulkDataAuth), ).toEqual(false); }); + + test('scope is sufficient for group export with "system" scopeType, not "user" of "patient" scopeType', () => { + const clonedScopeRule = emptyScopeRule(); + clonedScopeRule[scopeType].read = ['read']; + const bulkDataAuth: BulkDataAuth = { operation: 'initiate-export', exportType: 'group' }; + + // Only scopeType of system has bulkDataAccess + expect(isScopeSufficient(`${scopeType}/*.read`, clonedScopeRule, 'read', undefined, bulkDataAuth)).toEqual( + scopeType === 'system', + ); + + // Group export result is filtered on allowed resourceType, scope not having resourceType "*" should be passed + expect( + isScopeSufficient(`${scopeType}/Observation.read`, clonedScopeRule, 'read', undefined, bulkDataAuth), + ).toEqual(scopeType === 'system'); + }); + test('scope is sufficient to do a search-system', () => { const clonedScopeRule = emptyScopeRule(); clonedScopeRule[scopeType].read = ['search-system']; diff --git a/src/smartScopeHelper.ts b/src/smartScopeHelper.ts index c366776..3d11e7b 100644 --- a/src/smartScopeHelper.ts +++ b/src/smartScopeHelper.ts @@ -84,14 +84,27 @@ function isSmartScopeSufficientForBulkDataAccess( smartScope: ClinicalSmartScope, scopeRule: ScopeRule, ) { - const bulkDataRequestHasCorrectScope = - bulkDataAuth.exportType === 'system' && // As of 2021-01-09 we only support System Level export - ['system', 'user'].includes(smartScope.scopeType) && - smartScope.resourceType === '*' && - ['*', 'read'].includes(smartScope.accessType) && - getValidOperationsForScopeTypeAndAccessType(smartScope.scopeType, smartScope.accessType, scopeRule).includes( - 'read', - ); + let bulkDataRequestHasCorrectScope = false; + if (bulkDataAuth.exportType === 'system') { + bulkDataRequestHasCorrectScope = + ['system', 'user'].includes(smartScope.scopeType) && + smartScope.resourceType === '*' && + ['*', 'read'].includes(smartScope.accessType) && + getValidOperationsForScopeTypeAndAccessType( + smartScope.scopeType, + smartScope.accessType, + scopeRule, + ).includes('read'); + } else if (bulkDataAuth.exportType === 'group') { + bulkDataRequestHasCorrectScope = + ['system'].includes(smartScope.scopeType) && + ['*', 'read'].includes(smartScope.accessType) && + getValidOperationsForScopeTypeAndAccessType( + smartScope.scopeType, + smartScope.accessType, + scopeRule, + ).includes('read'); + } return ( ['initiate-export', 'get-status-export', 'cancel-export'].includes(bulkDataAuth.operation) && bulkDataRequestHasCorrectScope