Stream: implementers
Topic: Other operations & authorization interceptor question.
James Fadeley (Oct 30 2020 at 18:49):
So using the AuthorizationInterceptor works great for catching declaring resources. One interesting caveat seems to be when it comes to operations like http://hapi.fhir.org/baseR4/metadata
In this case, the CapabilityStatement that is returned isn't really a "resource" per say, but rather is an operation called "metadata." I don't see a means to allow operations through than by checking the requestDetails for the operations and allowing "return new RuleBuilder().allowAll("Allow access to metadata").build();"
Allowing just "new RuileBuilder.allow("Allow access of CapabilityStatement resource type.").read().resourcesOfType(CapabilityStatement.class).withAnyId();" does not work because the resource isn't identified, and when I tried to identify it against the resources, combining and extending with "CapabilityStatementRestSecurityComponent" and "IResourceProvider" throws a contractual failure because the returned object is a "OperationDefinition" type.
What is the proper way to allow operations against "metadata" through?
James Fadeley (Oct 30 2020 at 19:07):
Disregard. Didn't realize there was a special builder method of ".metadata()" against the RuleBuilder. That seems more logical.
Last updated: Apr 12 2022 at 19:14 UTC
