Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Paging with authorization interceptor doesn't seem to validate rulelist on every page fetched #590
We have implemented authrozation interceptor approximately like in the Hapi examples:
and then implemented the method
where last rule of the rulelist is
It now seems that once you've made the first search call with applicable and valid token then next link could just be copied to a browser and the contents of that page are returned. Should we implement the rule enforcing and checking the token somehow differently so that each and every call goes through the rule list?
We store the information about the token in the userData:
Which operation the next page actually is?
Hmm, so I tried to reproduce this and I had somewhat different results from you: Paging results are definitely handled incorrectly, but they are always denied for me because the "read" rule examines the outer bundle instead of the inner contents.
I'm going to check in a fix- we now have unit tests confirming that paging requests work with the security interceptor. Can you try the latest 2.5 snapshot build and see if you still see this issue?
Very weird. The rule list definitely is (or at least should be) checked for each call, there is no caching of rule evaluation between pages or anything like that.
Would you be able to try putting a breakpoint here: https://github.com/jamesagnew/hapi-fhir/blob/master/hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/method/BaseResourceReturningMethodBinding.java#L263
Essentially for a paging request, that should loop through the interceptors including the authorization one. When I try this locally for page request, it goes into the interceptor and builds the rule list almost right away (I actually notice it builds the list once for each resource in the response bundle, which should definitely be optimized)
There's a unit test that verifies this functionality here FYI: https://github.com/jamesagnew/hapi-fhir/blob/master/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java#L1170
I followed your suggestion to put the debug breakpoint there. The looping starts fine but what happens is we have registered a
We have registered our
I confirmed things further by removing the