patient see their multiple studies

This commit is contained in:
mario
2025-05-13 09:52:45 +07:00
parent 13bb380f51
commit 2d1f135fda
7 changed files with 193 additions and 58 deletions

View File

@@ -187,21 +187,49 @@ func PatientViewRestriction(logger *zap.Logger) func(http.Handler) http.Handler
}
// If a study is being requested, verify patient has access
if requestedStudyUID != "" && requestedStudyUID != claims.StudyIUID {
logger.Warn("Patient attempted to access unauthorized study",
zap.String("userID", claims.UserID),
zap.String("role", claims.Role),
zap.String("authorizedStudy", claims.StudyIUID),
zap.String("requestedStudy", requestedStudyUID))
if requestedStudyUID != "" {
// Check if the requested study is authorized
isAuthorized := false
// Return 403 Forbidden with a clear message
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusForbidden)
json.NewEncoder(w).Encode(map[string]string{
"error": "Access denied: You do not have permission to view this study",
"code": "forbidden_study_access",
})
return
// First check the array of studies if available
if len(claims.StudyIUIDs) > 0 {
for _, studyUID := range claims.StudyIUIDs {
if studyUID == requestedStudyUID {
isAuthorized = true
logger.Debug("Patient authorized to access study from StudyIUIDs array",
zap.String("userID", claims.UserID),
zap.String("requestedStudy", requestedStudyUID))
break
}
}
}
// If not found in the array, check the single StudyIUID for backward compatibility
if !isAuthorized && claims.StudyIUID == requestedStudyUID {
isAuthorized = true
logger.Debug("Patient authorized to access study from StudyIUID",
zap.String("userID", claims.UserID),
zap.String("requestedStudy", requestedStudyUID))
}
// If still not authorized, return 403 Forbidden
if !isAuthorized {
logger.Warn("Patient attempted to access unauthorized study",
zap.String("userID", claims.UserID),
zap.String("role", claims.Role),
zap.String("requestedStudy", requestedStudyUID),
zap.Strings("authorizedStudies", claims.StudyIUIDs),
zap.String("authorizedStudy", claims.StudyIUID))
// Return 403 Forbidden with a clear message
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusForbidden)
json.NewEncoder(w).Encode(map[string]string{
"error": "Access denied: You do not have permission to view this study",
"code": "forbidden_study_access",
})
return
}
}
// Patient has access or is requesting a list (which will be filtered)