Stream: smart
Topic: Scoped and chained parameters
Angus Millar (Jun 22 2018 at 06:10):
Would I be correct in thinking that scopes apply to chained search parameters?
If I had a search request under the context of a single scope of use/Observation.read and a chained query was given
[base]/Observation?subject:Patient.family=Chalmers which would given all Observation Resources which have a patient named Chalmers. Should this request return as Unauthorized? I feel it should because it leaks patient information as I now know the Patient that the observations are related to.
Is this true?
Josh Mandel (Jun 22 2018 at 10:09):
We don't try to define detailed authorization semantics like this in the standard -- but yes, the expectation that you've laid out here makes perfect sense.
Angus Millar (Jun 22 2018 at 10:10):
We don't try to define detailed authorization semantics like this in the standard -- but yes, the expectation that you've laid out here makes perfect sense.
Thanks Josh
Last updated: Apr 12 2022 at 19:14 UTC
