Syncing.

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java

@@ -525,14 +525,6 @@ public IAuthRuleBuilderRuleOpClassifierFinished andApplyNormalRules() {
 					rule.setOp(RuleOpEnum.TRANSACTION);
 					rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
 					myRules.add(rule);
-
-					// Allow batch
-					rule = new RuleImplOp(myRuleName);
-					rule.setMode(myRuleMode);
-					rule.setOp(RuleOpEnum.BATCH);
-					rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
-					myRules.add(rule);
-
 					return new RuleBuilderFinished(rule);
 				}
 

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.java

@@ -35,9 +35,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -174,7 +174,6 @@ public Verdict applyRule(RestOperationTypeEnum theOperation, RequestDetails theR
 					return null;
 				}
 				break;
-			case BATCH:
 			case TRANSACTION:
 				if (!(theOperation == RestOperationTypeEnum.TRANSACTION)) {
 					return null;
@@ -185,12 +184,16 @@ public Verdict applyRule(RestOperationTypeEnum theOperation, RequestDetails theR
 					}
 					List<BundleEntryParts> inputResources = BundleUtil.toListOfEntries(ctx, (IBaseBundle) theInputResource);
 					Verdict verdict = null;
+
+					boolean allComponentsAreGets = true;
 					for (BundleEntryParts nextPart : inputResources) {
 
 						IBaseResource inputResource = nextPart.getResource();
 						RestOperationTypeEnum operation = null;
 						if (nextPart.getRequestType() == RequestTypeEnum.GET) {
 							continue;
+						} else {
+							allComponentsAreGets = false;
 						}
 						if (nextPart.getRequestType() == RequestTypeEnum.POST) {
 							operation = RestOperationTypeEnum.CREATE;
@@ -219,6 +222,15 @@ public Verdict applyRule(RestOperationTypeEnum theOperation, RequestDetails theR
 							verdict = newVerdict;
 						}
 					}
+
+					/*
+					 * If we're handling a transaction with all gets and nothing else, we'll
+					 * be applying security on the way out
+					 */
+					if (allComponentsAreGets) {
+						return newVerdict();
+					}
+
 					return verdict;
 				} else if (theOutputResource != null) {
 
@@ -453,9 +465,8 @@ private boolean requestAppliesToTransaction(FhirContext theContext, RuleOpEnum t
 		//noinspection EnumSwitchStatementWhichMissesCases
 		switch (theOp) {
 			case TRANSACTION:
-				return "transaction".equals(bundleType);
-			case BATCH:
-				return "batch".equals(bundleType);
+				return "transaction".equals(bundleType)
+					|| "batch".equals(bundleType);
 			default:
 				return false;
 		}

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleOpEnum.java

@@ -24,11 +24,13 @@ enum RuleOpEnum {
 	READ,
 	WRITE, 
 	ALLOW_ALL,
-	DENY_ALL, 
+	DENY_ALL,
+	/**
+	 * Transaction applies to both transaction and batch
+	 */
 	TRANSACTION, 
 	METADATA, 
-	BATCH, 
-	DELETE, 
+	DELETE,
 	OPERATION,
 	PATCH
 }

hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/AuthorizationInterceptorR4Test.java

@@ -499,6 +499,45 @@ public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
 		status = ourClient.execute(httpPost);
 		extractResponseAndClose(status);
 		assertEquals(200, status.getStatusLine().getStatusCode());
+
+
+
+	}
+
+	@Test
+	public void testBatchAllowedWithGets() throws Exception {
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails) {
+				return new RuleBuilder()
+					.allow("Rule 1").transaction().withAnyOperation().andApplyNormalRules().andThen()
+					.allow("Rule 2").write().allResources().inCompartment("Patient", new IdType("Patient/1")).andThen()
+					.allow("Rule 2").read().allResources().inCompartment("Patient", new IdType("Patient/1")).andThen()
+					.build();
+			}
+		});
+
+		HttpPost httpPost;
+		HttpResponse status;
+
+		// Bundle with GETs
+
+		Bundle input = new Bundle();
+		input.setType(Bundle.BundleType.BATCH);
+		input.addEntry().getRequest().setUrl("Patient?").setMethod(Bundle.HTTPVerb.GET);
+
+		Bundle output = new Bundle();
+		output.setType(Bundle.BundleType.TRANSACTIONRESPONSE);
+		output.addEntry().getResponse().setLocation("/Patient/1");
+
+		ourReturn = Collections.singletonList(output);
+		ourHitMethod = false;
+		httpPost = new HttpPost("http://localhost:" + ourPort + "/");
+		httpPost.setEntity(createFhirResourceEntity(input));
+		status = ourClient.execute(httpPost);
+		extractResponseAndClose(status);
+		assertEquals(200, status.getStatusLine().getStatusCode());
+
 	}
 
 	@Test

src/changes/changes.xml

@@ -100,6 +100,11 @@
 				permission is granted. This has been corrected so that transaction() allows both
 				batch and transaction requests to proceed.
 			</action>
+			<action type="fix">
+				The AuthorizationInterceptor was previously not able to authorize the FHIR 
+				batch operation. As of this version, when authorizing a transaction operation
+				(via the transaction() rule), both batch and transaction will be allowed.
+			</action>
 		</release>
 
 		<release version="3.5.0" date="2018-09-17">