FHIR Chat · AVU Tests · inferno

Stream: inferno

Topic: AVU Tests

view this post on Zulip Alexander Zautke (Aug 10 2020 at 15:30):

I just ran into the issue that all tests for checking Unrestricted Resource Type Access (AVU01 - AVU14) showed a green chechmark, however, the search query behind it did not succeed. The search bundles only contained OperationOutcomes related to an error while executing the search. Maybe a check if a resource with the correct resource type is included should be added?

view this post on Zulip Robert Scanlon (Aug 10 2020 at 15:56):

Thanks @Alexander Zautke -- We tried to make this set of tests be just about authorization, and not about correctness of FHIR query responses, because we do that exhaustively in the 'Single Patient API' tests later. We could add more checking here if in practice there are common mistakes that are caused by authorization issues (simply checking resource type is easy enough). But we want to avoid going too far down the FHIR response correctness path, because it becomes time consuming (following bundle paging, validating all resources, ensuring search responses are consistent with any search parameters... where do we stop?). And we do all of that in the later steps anyhow.

view this post on Zulip Robert Scanlon (Aug 10 2020 at 16:02):

Most importantly from my perspective, are you able to pass everything ('Standalone Patient App', 'Limited Scope App', 'EHR Practitioner App' and 'Single Patient API') with an implementation exhibiting this behavior on the Unrestricted Resource Type Access tests? Or does this get picked up as a failure in one of the later tests?

view this post on Zulip Alexander Zautke (Aug 10 2020 at 16:35):

Fair enough :) Haven't tried any of the other tests yet, will report back if the error doesn't show up anywhere else. Thanks for the explanation!

view this post on Zulip Robert Scanlon (Aug 10 2020 at 16:47):

Hmmm, another argument for going to this level of checking is we do it on our OIDC fhirUser check -- we make sure that the resourceType returned from that URL is one of ['Patient', 'Practitioner', 'RelatedPerson', 'Person']. If that's the bar we set in the authentication area, maybe that's what we should do on the authorization side as well (just check the resourceType).

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -