FHIR icon indicating copy to clipboard operation
FHIR copied to clipboard

Published 20 hours ago verified publisher icon LinuxForHealth

Smart app launch and $everything operation should handle 403 error better

Open d0roppe opened this issue 2 years ago • 1 comments

Describe the bug With the $everything operation, and having SMART app launch configured, a 403 error turns into a 500 error back to the caller.

Environment FHIR-main

To Reproduce Steps to reproduce the behavior: Call with /Patient//$everything with Oauth2 through SMART App launch a 403 error causes a 500 error back to the caller

Expected behavior the 403 error should flow back to the caller

d0roppe avatar Mar 24 '22 12:03 d0roppe

with the changes from #3779, the expected response status for this case is now a 403 (not a 500) and the error message should be like this:

Error retrieving $everything resources of type 'Appointment' for Patient/002e2eac-c802-41fc-8b38-6d45b67a38d0; caused by read permission for 'Appointment' is not granted by any of the provided scopes: [[patient/Patient.*]]

lmsurpre avatar Jul 14 '22 04:07 lmsurpre

During QA, we found that we still emitted a generic 500 error in the case that the user was missing read access to their patient resource (e.g. missing scope patient/Patient.read).

lmsurpre avatar Sep 01 '22 14:09 lmsurpre

After the fix, we confirmed some additional cases to ensure we're not leaking information, and everything looks OK to us.

lmsurpre avatar Sep 02 '22 13:09 lmsurpre