Skip to content

Add Optional Query Filter For Instance Operation Authorization Rules #7433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nathandoef wants to merge 31 commits into
base: master
Choose a base branch
from
Open

Add Optional Query Filter For Instance Operation Authorization Rules #7433

nathandoef wants to merge 31 commits into from
+1,132 −44

Conversation

@nathandoef
Copy link
Collaborator

@nathandoef nathandoef commented Dec 11, 2025
edited
Loading

  • The RuleBuilder now supports adding optional FHIR query filters to instance-level operation authorization rules.
    New methods onAnyInstanceMatchingOptionalFilter() and onInstancesOfTypeMatchingOptionalFilter() allow restricting which
    resource instances are permitted for a given operation based on search parameter criteria. For example, this enables
    rules like allowing $meta operations only on Observations matching category=vital-signs.
  • The AuthResourceResolver now includes per-request caching to avoid redundant database reads when
    the same resource is resolved multiple times during authorization checks. Resource resolution is also now
    partition-aware, using the request's partition context when reading resources.

@robogary
Copy link
Contributor

robogary commented Dec 11, 2025
edited
Loading

Formatting check succeeded!

michaelabuckley and others added 26 commits December 11, 2025 17:16
@michaelabuckley
Leave some breadcrumps for Nathan.
7b4f7c8
@nathandoef
Revert "trigger diff for PR"
aa4ed97 
This reverts commit 179376e.
@nathandoef
Merge branch 'master' into nd-2025-12-11-meta-operations-permission-w…
cd4f1b5 
…ith-query-filter
@nathandoef
Merge branch 'master' into nd-2025-12-11-meta-operations-permission-w…
0afa30e 
…ith-query-filter
@nathandoef
wip - add optional instance filter restriction for operations of inst…
bf95176 
…ance of type
@nathandoef
add DaoRegistryAuthResourceFetcher / clean up
40b9f2c
@nathandoef
wip - add optional instance filter restriction for operations on any …
319969b 
…type
@nathandoef
spotless
5ff07ae
@nathandoef
ensure instance filter can only be used for instance level operations
360c5b9
@nathandoef
add caching to DaoRegistryAuthorizationResourceFetcher
bb1ca22
@nathandoef
remove fixmes
0bfc1de
@nathandoef
clean up instance filter readability
e13325c
@nathandoef
use input resource instead of fetching if it matches the target resou…
9d3d9b5 
…rce id
@nathandoef
Merge branch 'master' into nd-2025-12-11-meta-operations-permission-w…
b5dd09d 
…ith-query-filter

# Conflicts:
#	hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/BaseRule.java
#	hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IRuleApplier.java
@nathandoef
use new added AuthResourceResolver
d59157f
@nathandoef
add caching to resolveResourcesByIds
f9eae94
@nathandoef
add @nullable
7d2a138
@nathandoef
tests
2f52b86
@nathandoef
add logging
16d65a6
@nathandoef
spotless
49b7366
@nathandoef
add InstanceOperationAuthorizationWithFilterR4Test
a0799de
@nathandoef
add getInstanceFilter() to OperationRuleTestUtil
3a46540
@nathandoef
clean up AuthorizationInterceptor architecture
5775c6d
@nathandoef
Merge branch 'master' into nd-2025-12-11-meta-operations-permission-w…
8d1d8f2 
…ith-query-filter
@nathandoef
changelogs
88510d5
@nathandoef
self review
33450ea
@nathandoef nathandoef changed the title Meta Operations With Query Filter Add Optional Query Filter For Instance Operation Authorization Rules Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelabuckley michaelabuckley michaelabuckley approved these changes

@jamesagnew jamesagnew Awaiting requested review from jamesagnew jamesagnew is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nathandoef @robogary @michaelabuckley