patient see their multiple studies

This commit is contained in:
mario
2025-05-13 09:52:45 +07:00
parent 13bb380f51
commit 2d1f135fda
7 changed files with 193 additions and 58 deletions

View File

@@ -61,10 +61,66 @@ func (h *DicomHandler) ForwardRequest(w http.ResponseWriter, r *http.Request) {
if claims != nil {
switch claims.Role {
case "patient":
// For patients requesting study list, filter to only show their study
// For patients requesting study list, filter to only show their studies
if strings.HasPrefix(urlPath, "/studies") && !strings.Contains(urlPath, "/") {
// Ensure only the patient's study is shown
queryParams.Set("StudyInstanceUID", claims.StudyIUID)
// Check if multiple studies are available in the claim
if len(claims.StudyIUIDs) > 0 {
// Remove existing StudyInstanceUID param if it exists
queryParams.Del("StudyInstanceUID")
// For DICOMweb, we can use comma-separated UIDs
queryParams.Set("StudyInstanceUID", strings.Join(claims.StudyIUIDs, ","))
h.logger.Debug("Filtering by multiple studies",
zap.Strings("studies", claims.StudyIUIDs),
)
} else if claims.StudyIUID != "" {
// Fallback for backward compatibility - ensure only the patient's study is shown
queryParams.Set("StudyInstanceUID", claims.StudyIUID)
}
} else if strings.HasPrefix(urlPath, "/studies/") {
// This is a request for a specific study - check if the patient is authorized
// Extract the study ID from the path
// Format: /studies/{studyID}/...
pathParts := strings.Split(strings.TrimPrefix(urlPath, "/"), "/")
if len(pathParts) >= 2 {
studyID := pathParts[1]
// Check if this study is in the patient's authorized studies
authorized := false
// First check StudyIUIDs array
if len(claims.StudyIUIDs) > 0 {
for _, id := range claims.StudyIUIDs {
if id == studyID {
authorized = true
break
}
}
}
// Then check single StudyIUID for backward compatibility
if !authorized && claims.StudyIUID == studyID {
authorized = true
}
// If not authorized, return 403 Forbidden
if !authorized {
h.logger.Warn("Unauthorized study access attempt",
zap.String("studyID", studyID),
zap.String("patientID", claims.PatientID),
zap.Strings("authorizedStudies", claims.StudyIUIDs),
)
http.Error(w, "Forbidden: You are not authorized to access this study", http.StatusForbidden)
return
}
h.logger.Debug("Authorized access to specific study",
zap.String("studyID", studyID),
zap.String("patientID", claims.PatientID),
)
}
}
case "ref_doctor":
// For ref_doctor requesting study list, apply filter from token