patient see their multiple studies
This commit is contained in:
@@ -187,21 +187,49 @@ func PatientViewRestriction(logger *zap.Logger) func(http.Handler) http.Handler
|
||||
}
|
||||
|
||||
// If a study is being requested, verify patient has access
|
||||
if requestedStudyUID != "" && requestedStudyUID != claims.StudyIUID {
|
||||
logger.Warn("Patient attempted to access unauthorized study",
|
||||
zap.String("userID", claims.UserID),
|
||||
zap.String("role", claims.Role),
|
||||
zap.String("authorizedStudy", claims.StudyIUID),
|
||||
zap.String("requestedStudy", requestedStudyUID))
|
||||
if requestedStudyUID != "" {
|
||||
// Check if the requested study is authorized
|
||||
isAuthorized := false
|
||||
|
||||
// Return 403 Forbidden with a clear message
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(http.StatusForbidden)
|
||||
json.NewEncoder(w).Encode(map[string]string{
|
||||
"error": "Access denied: You do not have permission to view this study",
|
||||
"code": "forbidden_study_access",
|
||||
})
|
||||
return
|
||||
// First check the array of studies if available
|
||||
if len(claims.StudyIUIDs) > 0 {
|
||||
for _, studyUID := range claims.StudyIUIDs {
|
||||
if studyUID == requestedStudyUID {
|
||||
isAuthorized = true
|
||||
logger.Debug("Patient authorized to access study from StudyIUIDs array",
|
||||
zap.String("userID", claims.UserID),
|
||||
zap.String("requestedStudy", requestedStudyUID))
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If not found in the array, check the single StudyIUID for backward compatibility
|
||||
if !isAuthorized && claims.StudyIUID == requestedStudyUID {
|
||||
isAuthorized = true
|
||||
logger.Debug("Patient authorized to access study from StudyIUID",
|
||||
zap.String("userID", claims.UserID),
|
||||
zap.String("requestedStudy", requestedStudyUID))
|
||||
}
|
||||
|
||||
// If still not authorized, return 403 Forbidden
|
||||
if !isAuthorized {
|
||||
logger.Warn("Patient attempted to access unauthorized study",
|
||||
zap.String("userID", claims.UserID),
|
||||
zap.String("role", claims.Role),
|
||||
zap.String("requestedStudy", requestedStudyUID),
|
||||
zap.Strings("authorizedStudies", claims.StudyIUIDs),
|
||||
zap.String("authorizedStudy", claims.StudyIUID))
|
||||
|
||||
// Return 403 Forbidden with a clear message
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(http.StatusForbidden)
|
||||
json.NewEncoder(w).Encode(map[string]string{
|
||||
"error": "Access denied: You do not have permission to view this study",
|
||||
"code": "forbidden_study_access",
|
||||
})
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// Patient has access or is requesting a list (which will be filtered)
|
||||
|
||||
Reference in New Issue
Block a user