fhir-smart not enforced for JSONPatch and FHIRPathPatch

[jornvanwier]

Describe the bug

fhir-smart does appear to enforce JSONPatch and FHIRPathPatch requests. When using a JWT with ff94628809f34970a7a8199bccf2f23c as one of the patient_ids and a "patient/*.read" scope the following happens:

This PUT request gives a 403 as expected:

curl 'http://localhost:9080/fhir-server/api/v4/Patient/ff94628809f34970a7a8199bccf2f23c' -H "Authorization: Bearer $bearer" -H 'Content-Type: application/json' -d '{"resourceType": "Patient", "id": "ff94628809f34970a7a8199bccf2f23c", "gender":"female"}' -X PUT

However, if I do what is essentially the same request using JSONPatch, the change is allowed:

curl 'http://localhost:9080/fhir-server/api/v4/Patient/ff94628809f34970a7a8199bccf2f23c' -H "Authorization: Bearer $bearer" -H 'Content-Type: application/json-patch+json' -d '[{ "op": "add", "path": "/gender", "value": "female" }]' -X PATCH

With FHIRPathPatch the same can be observed.

I initially suspected that it was because org.linuxforhealth.fhir.smart.AuthzPolicyEnforcementPersistenceInterceptor does not have a beforePatch method, but after adding this method (with the same implementation as beforeUpdate) the problem persisted.

Am I missing something, or is this a bug in fhir-smart?

Environment

I'm currently still using 4.11.1. Looking through the changelogs and relevant code I don't believe this has already been fixed in the newer versions.

To Reproduce

Steps to reproduce the behavior:

1. Have a JWT with read-only access to a patient (I'm using "patient/*.read")
2. Perform a JSONPatch or FHIRPathPatch request for data belonging to the current patient.
3. The request will succeed.

Expected behavior

The request should not succeed unless the JWT has a write scope for the resource.

[PrasannaHegde1]

Generated a token with scope "patient/*.read" for patient_id 1850f9523a4-c7c2cc41-6544-404b-843a-7620eac731d9

1. The JSONPatch request for patient_id 1850f9523a4-c7c2cc41-6544-404b-843a-7620eac731d9 resulted in a 403 error as expected.

https://localhost:9443/fhir-server/api/v4/Patient/1850f9523a4-c7c2cc41-6544-404b-843a-7620eac731d9
HTTP Method : PATCH
Content-Type : application/json-patch+json
[{ "op": "add", "path": "/gender", "value": "male" }]

2. The FHIRPathPatch request for patient_id 1850f9523a4-c7c2cc41-6544-404b-843a-7620eac731d9 resulted in a 403 error as expected.

https://localhost:9443/fhir-server/api/v4/Patient/1850f9523a4-c7c2cc41-6544-404b-843a-7620eac731d9
HTTP Method : PATCH
Content-Type : application/fhir+json
{
  "resourceType": "Parameters",
  "parameter": [ {
    "name": "operation",
    "part": [ {
      "name": "type",
      "valueCode": "add"
    }, {
      "name": "path",
      "valueString": "Patient"
    }, {
      "name": "name",
      "valueString": "gender"
    }, {
      "name": "value",
      "valueCode": "male"
    } ]
  } ]
}

3. The update Patient(id = 1850f9523a4-c7c2cc41-6544-404b-843a-7620eac731d9) request resulted in a 403 error as expected.

https://localhost:9443/fhir-server/api/v4/Patient/1850f9523a4-c7c2cc41-6544-404b-843a-7620eac731d9
HTTP Method : PUT
Content-Type : application/json
{
	 "id" : "1850f9523a4-c7c2cc41-6544-404b-843a-7620eac731d9",
    "resourceType" : "Patient",
    "active" : true,
    "name" : [ {
        "family" : "Doe2",
        "given" : [ "John" ]
    } ],
    "gender" : "male"
}