Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Update allows updating resource that is not within read / write scope #667
Still using Hapi 2.4
We have created scopes like:
builder.allow("read:" + scope).read().resourcesOfType(Observation.class).inCompartment("Patient", userIdPatientId);
builder.write("write:" + scope).write().resourcesOfType(Observation.class).inCompartment("Patient", userIdPatientId);
Lets say there is an Observation 1 with patient A (44a12254-b28d-42f9-8bec-4a468473ef9f) that's been saved with Access token with Patient A as the resource owner. Now it is possible for Patient B to update Observation 1 to with permissions from her access token if the subject of the resource in the update request is Patient B (21bb8e2a-673e-42f0-8843-ac90d18d8222).
Shouldn't there be also a check in the update operation that the resource being updated is within the given rules? Are we missing some rule here?
POSTing first version of a resource and reading a resource with GET work correctly with the rules here.
POST Patient 44a12254-b28d-42f9-8bec-4a468473ef9f
PUT with Patient B (21bb8e2a-673e-42f0-8843-ac90d18d8222)
response for the put with patient B.