Closed
Description
Describe the bug
If a user is configured with a Patient ID specific rule and they trigger a Patient-level $export with a _typeFilter on that Patient ID, the export will fail with a 403.
To Reproduce
Steps to reproduce the behavior:
- Configure a user with a rule that only allows patient bulk export on Patient 123
- Trigger a POST http://localhost:8000/Patient/$export
with body:
{
"resourceType": "Parameters",
"parameter": [
{
"name": "_outputFormat",
"valueString": "application/fhir+ndjson"
},
{
"name": "_type",
"valueString": "Patient"
},
{
"name": "_typeFilter",
"valueString": "Patient?_id=123"
}
]
}
- The response will be a 403
Expected behavior
The export request should pass with a 202 and the header should include a link for them to poll for the export
Environment (please complete the following information):
- HAPI FHIR Version: master
Additional context
The problem occurs in RuleBulkExportImpl.applyRule() as this scenario is not handled by the special case logic introduced in 6.6.0.
Metadata
Metadata
Assignees
Labels
No labels