Regular user without institution cannot load records
Closed this issue · 2 comments
@blcham Users without an institution and without an Admin role cannot access records due to the filtering applied in the @PreAuthorize annotation in the code:
PatientRecordsController.java
@PreAuthorize("hasRole('" + SecurityConstants.ROLE_ADMIN + "') or @securityUtils.isMemberOfInstitution(#institutionKey)") @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE) public List<PatientRecordDto> getRecords
Users without the Admin role and without an institution receive a 403 (Forbidden) status.
I can remove this @PreAuthorize annotation, and the method will handle this logic itself. In that case, users without institution will receive a ValidationException with an error_id (which the frontend understands) and a description.
However, the issue with removing @PreAuthorize is that admins without an institution will also be unable to retrieve records, as the method will filter based on whether the user has an institution or not.
I think the best solution would be to loosen up the condition so it does not fail if #institutionKey is not send ... so something like:
"hasRole('" + SecurityConstants.ROLE_ADMIN + "') or #institutionKey=null or @securityUtils.isMemberOfInstitution(#institutionKey)"
And then throw 409 conflict only if institutionKey=null for regular user.