edit study_iuids & accNum in patient jwt to array

This commit is contained in:
mario
2025-05-13 10:07:16 +07:00
parent 2d1f135fda
commit 0d4825d152
7 changed files with 34 additions and 89 deletions

View File

@@ -187,39 +187,27 @@ func PatientViewRestriction(logger *zap.Logger) func(http.Handler) http.Handler
}
// If a study is being requested, verify patient has access
if requestedStudyUID != "" {
if requestedStudyUID != "" && len(claims.StudyIUIDs) > 0 {
// Check if the requested study is authorized
isAuthorized := false
// First check the array of studies if available
if len(claims.StudyIUIDs) > 0 {
for _, studyUID := range claims.StudyIUIDs {
if studyUID == requestedStudyUID {
isAuthorized = true
logger.Debug("Patient authorized to access study from StudyIUIDs array",
zap.String("userID", claims.UserID),
zap.String("requestedStudy", requestedStudyUID))
break
}
for _, studyUID := range claims.StudyIUIDs {
if studyUID == requestedStudyUID {
isAuthorized = true
logger.Debug("Patient authorized to access study",
zap.String("userID", claims.UserID),
zap.String("requestedStudy", requestedStudyUID))
break
}
}
// If not found in the array, check the single StudyIUID for backward compatibility
if !isAuthorized && claims.StudyIUID == requestedStudyUID {
isAuthorized = true
logger.Debug("Patient authorized to access study from StudyIUID",
zap.String("userID", claims.UserID),
zap.String("requestedStudy", requestedStudyUID))
}
// If still not authorized, return 403 Forbidden
// If not authorized, return 403 Forbidden
if !isAuthorized {
logger.Warn("Patient attempted to access unauthorized study",
zap.String("userID", claims.UserID),
zap.String("role", claims.Role),
zap.String("requestedStudy", requestedStudyUID),
zap.Strings("authorizedStudies", claims.StudyIUIDs),
zap.String("authorizedStudy", claims.StudyIUID))
zap.Strings("authorizedStudies", claims.StudyIUIDs))
// Return 403 Forbidden with a clear message
w.Header().Set("Content-Type", "application/json")