edit study_iuids & accNum in patient jwt to array
This commit is contained in:
@@ -187,39 +187,27 @@ func PatientViewRestriction(logger *zap.Logger) func(http.Handler) http.Handler
|
||||
}
|
||||
|
||||
// If a study is being requested, verify patient has access
|
||||
if requestedStudyUID != "" {
|
||||
if requestedStudyUID != "" && len(claims.StudyIUIDs) > 0 {
|
||||
// Check if the requested study is authorized
|
||||
isAuthorized := false
|
||||
|
||||
// First check the array of studies if available
|
||||
if len(claims.StudyIUIDs) > 0 {
|
||||
for _, studyUID := range claims.StudyIUIDs {
|
||||
if studyUID == requestedStudyUID {
|
||||
isAuthorized = true
|
||||
logger.Debug("Patient authorized to access study from StudyIUIDs array",
|
||||
zap.String("userID", claims.UserID),
|
||||
zap.String("requestedStudy", requestedStudyUID))
|
||||
break
|
||||
}
|
||||
for _, studyUID := range claims.StudyIUIDs {
|
||||
if studyUID == requestedStudyUID {
|
||||
isAuthorized = true
|
||||
logger.Debug("Patient authorized to access study",
|
||||
zap.String("userID", claims.UserID),
|
||||
zap.String("requestedStudy", requestedStudyUID))
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// If not found in the array, check the single StudyIUID for backward compatibility
|
||||
if !isAuthorized && claims.StudyIUID == requestedStudyUID {
|
||||
isAuthorized = true
|
||||
logger.Debug("Patient authorized to access study from StudyIUID",
|
||||
zap.String("userID", claims.UserID),
|
||||
zap.String("requestedStudy", requestedStudyUID))
|
||||
}
|
||||
|
||||
// If still not authorized, return 403 Forbidden
|
||||
// If not authorized, return 403 Forbidden
|
||||
if !isAuthorized {
|
||||
logger.Warn("Patient attempted to access unauthorized study",
|
||||
zap.String("userID", claims.UserID),
|
||||
zap.String("role", claims.Role),
|
||||
zap.String("requestedStudy", requestedStudyUID),
|
||||
zap.Strings("authorizedStudies", claims.StudyIUIDs),
|
||||
zap.String("authorizedStudy", claims.StudyIUID))
|
||||
zap.Strings("authorizedStudies", claims.StudyIUIDs))
|
||||
|
||||
// Return 403 Forbidden with a clear message
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
|
||||
Reference in New Issue
Block a user