FHIR icon indicating copy to clipboard operation
FHIR copied to clipboard

Published 20 hours ago verified publisher icon LinuxForHealth

Conditional update should reject updates when resource body contains id that already exists on server

Open renom opened this issue 2 years ago • 3 comments

Describe the bug PUT [base]/[type]?[search parameters] Such requests either update the record if "id" is provided in the request body or create a new record if "id" isn't provided.

Environment Arch Linux & Docker & FHIR Server 5.1.0

To Reproduce Request with any search parameters that returns 0 records if use GET method, an existing id is in the body:

PUT /Patient?_id=unexisting_id

{
  "id": "existing_id"
  ...
}

Response: 200 (the patient is updated)

Request with any search parameters that returns 0 records if use GET method, an id is omitted in the body:

PUT /Patient?_id=unexisting_id

{
  ...
}

Response: 201 (the patient is created)

Expected behavior Conditional update works as described in the FHIR specification (it should refuse the above requests).

renom avatar Nov 28 '22 13:11 renom

The current version of the spec (R4B) lists only two cases for when there are "no matches":

  • No matches, no id provided: The server creates the resource.
  • No matches, id provided: The server treats the interaction as an Update as Create interaction (or rejects it, if it does not support Update as Create)

However, for R5 they've split that second case into two:

  • No matches, id provided and doesn't already exist: The server treats the interaction as an Update as Create interaction (or rejects it, if it does not support Update as Create)
  • No matches, id provided and already exist: The server rejects the update with a 409 Conflict error

We should pre-adopt that change to address the issue identified by @renom

lmsurpre avatar Nov 29 '22 13:11 lmsurpre

@lmsurpre given that it's impossible to update the resource without a possibility of creating a new one (if the resource doesn't exist) with a PUT request?

renom avatar Nov 29 '22 15:11 renom

i'm not sure I understand your question. did you read through https://www.hl7.org/fhir/http.html#concurrency ?

we do have a config setting for disabling "create-on-update" as documented at https://linuxforhealth.github.io/FHIR/guides/FHIRServerUsersGuide#34-updatecreate-feature

lmsurpre avatar Nov 29 '22 21:11 lmsurpre