Skip to content

Restore encounter panel privilege enforcement#2612

Open
yingbull with Copilot wants to merge 13 commits into
developfrom
copilot/fix-privilege-check-override
Open

Restore encounter panel privilege enforcement#2612
yingbull with Copilot wants to merge 13 commits into
developfrom
copilot/fix-privilege-check-override

Conversation

Copilot AI commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Episode and pregnancy encounter panels evaluated role privileges, then immediately overwrote the result with true, making those checks ineffective. This allowed users who could reach the encounter shell to see those panels regardless of _newCasemgmt.episode / _newCasemgmt.pregnancy permissions.

This PR restores those panel-specific checks and also tightens the shared encounter entry gate so panel loading requires chart access instead of plain demographic read.

  • Shared encounter gate

    • In EctDisplayAction, replace the pre-session privilege check from _demographic r to _eChart r.
    • This keeps unauthorized users from building or mutating encounter session state unless they have chart access.
    • This change was intentional: demographic read access is not equivalent to chart access.
  • Panel-specific authorization

    • Remove the hard-coded privilege override in EctDisplayEpisode2Action.
    • Remove the hard-coded privilege override in EctDisplayPregnancy2Action.
    • The existing OscarRoleObjectPrivilege.checkPrivilege(...) result now controls whether those panels populate.
  • Effective behavior after this change

    • A caller must have _eChart r to load the encounter panel flow at all.
    • Even with chart access, the episode panel still requires _newCasemgmt.episode.
    • Even with chart access, the pregnancy panel still requires _newCasemgmt.pregnancy.
  • Regression coverage

    • Added behavioral tests that assert encounter panel loading is denied when _eChart is missing.
    • Added behavioral tests that assert episode and pregnancy panels do not populate when their panel-specific privileges are denied.
    • Added a positive-path test that confirms panel loading proceeds when _eChart is granted.

Related Issues

Fixes the encounter panel privilege bypass described in this PR.
Also incorporates follow-up review feedback to use the correct shared chart-level gate.

How Was This Tested?

  • Added focused unit coverage in EncounterPanelPrivilegeRegressionUnitTest.
  • Covered:
    • denied _eChart access blocks encounter-panel loading before session mutation
    • granted _eChart access allows the shared flow to proceed
    • denied _newCasemgmt.episode prevents episode panel population
    • denied _newCasemgmt.pregnancy prevents pregnancy panel population

Copilot AI requested review from Copilot and removed request for Copilot June 1, 2026 23:52
Copilot AI changed the title [WIP] Fix privilege check override in EctDisplayEpisode2Action and EctDisplayPregnancy2Action Restore encounter panel privilege enforcement Jun 1, 2026
Copilot AI requested a review from yingbull June 1, 2026 23:53
@Ben-Heerema Ben-Heerema self-assigned this Jun 2, 2026
@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@Ben-Heerema

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7e404e2f-c9c3-41e6-89f4-8e8fc8d92919

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR removes redundant privilege-flag resets in two encounter panel actions, adds a regression test for denied privilege paths, and refactors EctDisplayAction into smaller helpers for session setup, command handling, encoded reload URLs, and forward resolution.

Changes

Privilege Flag Reset Fix and Validation

Layer / File(s) Summary
Remove redundant privilege flag resets in encounter panels
src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayEpisode2Action.java, src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayPregnancy2Action.java
Removed a = true assignments that were overriding the outcome of OscarRoleObjectPrivilege.checkPrivilege(...).
Encounter panel privilege regression test
src/test/java/io/github/carlos_emr/carlos/encounter/pageUtil/EncounterPanelPrivilegeRegressionUnitTest.java
Added JUnit 5 regression coverage with static mocks for servlet context and privilege checks, verifying denied privileges skip panel population and avoid episodeDao interaction.

Encounter Display Action Refactor

Layer / File(s) Summary
Refactor execute flow and request gating
src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
Split execute() into helpers for navbar name resolution, JSON request detection, session preparation, command resolution, access checks, and forward logging.
Extract encounter session helpers
src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
Moved encounter-session rebuild and request-field population into helpers that validate provider and appointment values, sanitize inputs, and persist the session bean.
Encode reload URLs and resolve forwards
src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
Added encoded query-string building, DAO-backed command execution, JSON response writing, and XMLHttpRequest-specific forward finalization.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related PRs

  • carlos-emr/carlos#687: Also changes EctDisplayAction success forwarding to use include(...) and return NONE for AJAX-style responses.

Suggested reviewers: yingbull

Poem

🐰 I hop through flags that now obey,
And helpers split the busy way.
The panels pause when rules say “no,”
While encoded URLs safely flow.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title concisely captures the main change: restoring privilege enforcement for encounter panels.
Description check ✅ Passed The description matches the code changes and regression tests, especially the restored privilege checks and updated encounter gate.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch copilot/fix-privilege-check-override
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch copilot/fix-privilege-check-override

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java`:
- Around line 56-57: readEncounterPageUtilSource currently constructs a file
path with Path.of(...) which bypasses repository path validation; change it to
use the repository's PathValidationUtils to build/validate the path (e.g., call
the PathValidationUtils method that validates/resolves a path segment before
reading) or, alternatively, restrict readEncounterPageUtilSource to only accept
an enum/constant for allowed filenames and map those to validated paths via
PathValidationUtils; update references to readEncounterPageUtilSource to pass
only validated/known names and ensure any thrown IOException handling remains
intact.
- Around line 36-54: The current tests in EncounterPanelPrivilegeRegressionTest
(methods shouldHonorConfiguredRolePrivilege_forEpisodePanel and
shouldHonorConfiguredRolePrivilege_forPregnancyPanel) only assert source text
via readEncounterPageUtilSource and should be changed to exercise the runtime
behavior: invoke the corresponding action handlers (EctDisplayEpisode2Action and
EctDisplayPregnancy2Action) or their public entry points under a test context
with a user that lacks the _newCasemgmt.episode/_newCasemgmt.pregnancy
privilege, and assert the denied-privilege outcome (e.g., exception, redirect,
error response or security check result) instead of matching source strings;
remove or replace the contains/containsPattern assertions and use the real
action invocation plus assertions on the denial branch to avoid tying tests to
implementation details like helper extraction or local variable names.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5c3a8b4a-1651-442c-b366-7d876bf41f7f

📥 Commits

Reviewing files that changed from the base of the PR and between 1685679 and 4c63a33.

📒 Files selected for processing (3)
  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayEpisode2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayPregnancy2Action.java
  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
💤 Files with no reviewable changes (2)
  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayEpisode2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayPregnancy2Action.java
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: SpotBugs + Find Security Bugs
🧰 Additional context used
📓 Path-based instructions (8)
**/*.java

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.java: Use io.github.carlos_emr.carlos.* namespace for ALL new code; specific packages: DAOs in io.github.carlos_emr.carlos.commn.dao.*, Models in io.github.carlos_emr.carlos.commn.model.*, exception: ProviderDao in io.github.carlos_emr.carlos.dao.ProviderDao
Use PathValidationUtils for ALL file path operations that include user input
NEVER log or expose PHI (Protected Health Information) in logs or error messages
Use SpringUtils.getBean(ClassName.class) for Spring bean injection in Struts2 actions and non-Spring-managed classes
JavaDoc is required on all public classes and methods; do NOT include @author tags, use @since tags with git log timestamps, use CARLOS copyright header for new files

Use package namespace io.github.carlos_emr.carlos.* for all new code instead of org.oscarehr.*

**/*.java: Java package names remain as io.github.carlos_emr.carlos.* for backward compatibility - DO NOT change these internal paths
Use parameterized queries ONLY - never string concatenation for SQL queries
PHI (Patient Health Information) must NEVER be logged or exposed - use LogSafe utility or exclude PHI fields from log statements
Use PathValidationUtils for ALL file path operations to prevent path traversal attacks
Class naming: Suffix == role + lifecycle. Use sanctioned suffixes only: *Action, *ViewModelAssembler, *ViewModel, *Loader, *Resolver, *Composer, *Validator, *Persister, *Calculator, *Parser, *ImportService, *Service, *Dao, *Dto, *Command. Never use *Manager, *Helper, *Utils, or compound suffixes
Spring integration: Prefer constructor injection for new actions and services. Reserve SpringUtils.getBean() only for legacy compatibility shims that cannot be constructor-wired yet
JavaDoc required for: public entrypoint classes, non-obvious public/protected methods, and healthcare-domain-specific method contracts. NOT required for: carrier DTOs, trivial records, getters/setters, private helpers
Do NOT add @au...

Files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
**/*.{jsp,java}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use OWASP Encoder for ALL user input output: in JSP use ${e:forHtml(value)} with taglib <%@ taglib uri="owasp.encoder.jakarta" prefix="e" %>, in Java use Encode.forHtml(value), with context-specific variants (forHtmlAttribute, forJavaScript, forCssString, forUri, forUriComponent)

Use OWASP Encoder for ALL user inputs - prefer <carlos:encode> tag or CARLOS EL functions (${carlos:forXxx()}) over legacy <e:forXxx> or Encode.* static calls

Files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
**/*.{java,sql}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use parameterized queries ONLY in SQL/HQL operations; never use string concatenation for SQL queries

Files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
**/*Test.java

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*Test.java: Unit tests must use CarlosUnitTestBase base class for mocked tests (no database); integration tests must use CarlosTestBase for H2 database tests
Follow BDD naming convention for test methods: should<Action>_<preposition><Condition>() with ONE underscore, camelCase, and should prefix

Use BDD (Behavior-Driven Development) test naming convention: should<Action>_<prepositionOrContext><Condition>() with exactly ONE underscore, camelCase throughout, starting lowercase after underscore (e.g., shouldReturnTickler_whenValidIdProvided())

Files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
src/test/**/*.java

📄 CodeRabbit inference engine (.github/instructions/test-rules.instructions.md)

src/test/**/*.java: Use CarlosTestBase for integration tests with Spring context and H2 database
Use CarlosUnitTestBase for unit tests with mocked SpringUtils and no database
Use BDD naming convention: should_() with ONE underscore, camelCase, and 'should' prefix for test methods
Use hibernateTemplate.flush() NOT entityManager.flush() for HibernateDaoSupport DAOs
HBM property names are case-sensitive - verify property names match the .hbm.xml file
DAO save*() methods may override fields like update_date - account for this in test assertions
Do not assert instance identity across Spring contexts using isSameAs()
HQL LIKE queries require explicit '%' wildcards in test data

Files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
src/**/*.java

📄 CodeRabbit inference engine (GEMINI.md)

src/**/*.java: Keep Java packages as io.github.carlos_emr.carlos.* for backward compatibility - do NOT change these internal namespace paths
Preserve existing copyright headers in modified files and preserve GPL version exactly as-is; never remove existing copyright notices

Files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
**/*.{java,jsp,js,xml,sql,py,sh,gradle,xml}

📄 CodeRabbit inference engine (CLAUDE.md)

New copyright headers use CARLOS project header (see docs/copyright-header-carlos.md). Modified files preserve all existing headers. Never remove existing copyright notices (violates GPL). Never change GPL version.

Files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
src/test/java/**/*Test.java

📄 CodeRabbit inference engine (CLAUDE.md)

src/test/java/**/*Test.java: Test class structure: Choose correct base class - CarlosTestBase for integration tests with Spring context and database, CarlosUnitTestBase for unit tests with mocked SpringUtils, domain-specific bases like DemographicUnitTestBase for unit tests with test data builders
Use @Tag("integration"), @Tag("dao"), and CRUD tags (@Tag("create"), @Tag("read"), @Tag("update"), @Tag("delete"), @Tag("query"), @Tag("search")) for filtering test execution
Use io.github.carlos_emr.carlos.test.logging.LogCapture from test utilities for Log4j2 assertions. Do not define local AbstractAppender or CapturingAppender. Close static mocks in @AfterEach
For Log4j2 and static mocking coordination in tests: SpringUtils.getBean() returns instances from possibly different Spring contexts. Assert type with isInstanceOf() not identity with isSameAs()

Files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
🧠 Learnings (9)
📚 Learning: 2026-03-21T14:58:44.822Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 704
File: src/test/java/io/github/carlos_emr/carlos/commn/dao/Hl7TextInfoDaoIntegrationTest.java:109-110
Timestamp: 2026-03-21T14:58:44.822Z
Learning: For the test-only HibernateTemplate implementation in src/test/java/io/github/carlos_emr/carlos/test/base/HibernateTemplate.java, positional parameter binding is 1-based (it calls query.setParameter(i + 1, ...)). Therefore, in any test code that calls hibernateTemplate.find(queryString, ...), all HQL positional parameters in queryString must use ?1, ?2, etc. Never use ?0 (or other 0-based indices), otherwise Hibernate will raise a runtime parameter binding error.

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
📚 Learning: 2026-05-24T01:02:42.707Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1832
File: src/test/java/io/github/carlos_emr/carlos/webserv/rest/ReportingServiceUnitTest.java:163-270
Timestamp: 2026-05-24T01:02:42.707Z
Learning: In this repository’s Java test code (under src/test/java), CRUD/operation tags on test methods such as Tag("create"), Tag("read"), or Tag("query") are optional “filtering vocabulary” and are NOT required. Since CI does not enforce these CRUD/operation tags, do not flag missing CRUD/operation Tag values on test methods. Only enforce the mandatory test-type tags defined in CLAUDE.md (e.g., Tag("unit"), Tag("fast")).

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
📚 Learning: 2026-05-24T01:02:47.540Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1832
File: src/test/java/io/github/carlos_emr/carlos/util/UtilDateUtilitiesUnitTest.java:42-44
Timestamp: 2026-05-24T01:02:47.540Z
Learning: In this repository, the `CarlosUnitTestBase` test base class is intended only for tests that need to mock `SpringUtils` and `LogAction` statics. For pure static-method unit tests (e.g., tests like `UtilDateUtilitiesUnitTest`, `SafeEncodeUnitTest`, `QueryAppenderUnitTest`, `TextualizerUnitTest`, `RequestNegotiationUnitTest`), do not require/flag extending `CarlosUnitTestBase`—absence of `CarlosUnitTestBase` is expected when static mocking of `SpringUtils`/`LogAction` isn’t needed.

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
📚 Learning: 2026-05-24T01:02:46.757Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1832
File: src/test/java/io/github/carlos_emr/carlos/util/DateUtilsConvertDate8CharUnitTest.java:39-42
Timestamp: 2026-05-24T01:02:46.757Z
Learning: When reviewing this repo’s Java code that uses CRUD/operation method `Tag(...)` annotations, treat most operation tags (e.g., `Tag("read")`) as optional filtering vocabulary. Only `Tag("integration")` and `Tag("dao")` are required for type/layer classification. Because CI (e.g., `bdd-test-naming.yml`/Surefire) enforces only method naming conventions and does not verify operation tags, do not raise review issues solely for missing optional CRUD operation `Tag` annotations.

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
📚 Learning: 2026-05-24T01:02:47.540Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1832
File: src/test/java/io/github/carlos_emr/carlos/util/UtilDateUtilitiesUnitTest.java:42-44
Timestamp: 2026-05-24T01:02:47.540Z
Learning: In this repository’s JUnit 5 tests, treat CRUD/operation tags (Tag("read"), Tag("create"), Tag("update"), Tag("delete")) as optional filtering vocabulary. Only Tag("integration") and Tag("dao") are required for type/layer classification. If a test is missing one or more CRUD/operation tags, do not flag it as a required change; only enforce what CI actually checks (method/test naming conventions) and rely on Tag("integration")/Tag("dao") for the relevant classification.

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
📚 Learning: 2026-05-24T01:02:48.955Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1832
File: src/test/java/io/github/carlos_emr/carlos/utility/CachedDateFormatsUnitTest.java:48-50
Timestamp: 2026-05-24T01:02:48.955Z
Learning: For this repo’s Java test code (src/test/java/**), do not require CRUD/operation tag annotations like Tag("read") or Tag("write") on test classes or test methods. Treat those CRUD/operation tags as optional filtering vocabulary only. For layer/type distinction, only Tag("integration") and Tag("dao") are required. Code review should avoid flagging missing Tag("read"/"write") (or similar CRUD operation tags) when tests otherwise follow the CI-enforced naming conventions.

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
📚 Learning: 2026-03-24T17:34:18.508Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 716
File: src/main/java/io/github/carlos_emr/carlos/eform/actions/RtlPreventions2Action.java:155-156
Timestamp: 2026-03-24T17:34:18.508Z
Learning: In this repository (carlos-emr/carlos), treat `demographic_no` as an internal database surrogate integer key (the PK of the demographic table), not as PHI. When reviewing code, do not flag logging or output of `demographic_no` as PHI exposure. PHI to flag includes clinical/demographic data elements like patient name, date of birth, HIN, and address.

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
📚 Learning: 2026-04-07T02:57:10.703Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1111
File: src/main/java/io/github/carlos_emr/carlos/util/JDBCUtil.java:140-142
Timestamp: 2026-04-07T02:57:10.703Z
Learning: When reviewing this repository’s Java code, flag any unprotected use of `SchemaFactory.newInstance(...)` (e.g., instances that do not restrict `XMLConstants.ACCESS_EXTERNAL_DTD` and `XMLConstants.ACCESS_EXTERNAL_SCHEMA` to empty strings). Recommend migrating those call sites to `io.github.carlos_emr.carlos.utility.XmlUtils.createSecureSchemaFactory()` so XML Schema validation is hardened against external entity/schema access. Known migrated call sites include `IndicatorTemplateHandler.java` and `DemographicExportAction42Action.java` (post-PR `#1111`).

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java
📚 Learning: 2026-05-24T01:02:46.757Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1832
File: src/test/java/io/github/carlos_emr/carlos/util/DateUtilsConvertDate8CharUnitTest.java:39-42
Timestamp: 2026-05-24T01:02:46.757Z
Learning: In this repo, `CarlosUnitTestBase` is intended only for tests that need to mock the `SpringUtils` / `LogAction` statics. For unit tests that only exercise pure static methods (e.g., `DateUtils`, `SafeEncode`, `QueryAppender`, `Textualizer`, `RequestNegotiation`) and do not interact with those statics, do not extend `CarlosUnitTestBase`; keep the test self-contained to avoid unnecessary setup with no benefit.

Applied to files:

  • src/test/java/io/github/carlos_emr/carlos/security/EncounterPanelPrivilegeRegressionTest.java

Replace the source-inspection regression with behavioral coverage for episode and pregnancy panel denial.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com (noreply@anthropic.com)
Signed-off-by: Ben Heerema <ben@maplecreekmedical.ca>
Copilot AI review requested due to automatic review settings June 2, 2026 18:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com (noreply@anthropic.com)
Signed-off-by: Ben Heerema <ben@maplecreekmedical.ca>
@Ben-Heerema

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Copilot AI review requested due to automatic review settings June 3, 2026 13:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

Signed-off-by: Ben Heerema <ben@maplecreekmedical.ca>
@Ben-Heerema Ben-Heerema force-pushed the copilot/fix-privilege-check-override branch from e7d89b5 to bd882ed Compare June 3, 2026 14:13
@Ben-Heerema

Copy link
Copy Markdown
Collaborator

@coderabbitai review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@Ben-Heerema

Copy link
Copy Markdown
Collaborator

@coderabbitai review
@cubic-dev-ai review

@cubic-dev-ai

cubic-dev-ai Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@coderabbitai review
@cubic-dev-ai review

@Ben-Heerema Couldn't start the review: please upgrade to a paid plan to review bot-authored PRs.

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@Ben-Heerema I'll kick off a new review of the changes.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@sonarqubecloud

Copy link
Copy Markdown

@Ben-Heerema Ben-Heerema marked this pull request as ready for review June 11, 2026 20:50
@Ben-Heerema

Copy link
Copy Markdown
Collaborator

@yingbull I think your concerns are addressed now :)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@CecilFoubert CecilFoubert marked this pull request as draft July 3, 2026 19:02
@CecilFoubert

Copy link
Copy Markdown
Collaborator

Grabbing this one and finishing it off

Copilot AI review requested due to automatic review settings July 3, 2026 19:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

Signed-off-by: Cecil Foubert <Cfoubert0782@conestogac.on.ca>
@CecilFoubert

Copy link
Copy Markdown
Collaborator

@cubic-dev-ai review

@cubic-dev-ai

cubic-dev-ai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@cubic-dev-ai review

@CecilFoubert Couldn't start the review: please upgrade to a paid plan to review bot-authored PRs.

@CecilFoubert

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java`:
- Around line 406-409: The JSON branch in EctDisplayAction’s response handling
writes bytes using the platform default charset and never sets a JSON content
type. Update the isJsonRequest path to set the response Content-Type to
application/json;charset=UTF-8 before writing, and change the
json.toString().getBytes() write in that block to use UTF-8 explicitly so
non-ASCII data is returned correctly.
- Around line 160-183: The null-demographic rebuild path in
prepareEncounterSessionBean/resolveDemographicNo is still unsafe because
rebuildEncounterSessionBean can be called with a null demographicNo and then
EctSessionBean.setUpEncounterPage dereferences it. Update the flow so a missing
demographicNo is rejected or handled before calling rebuildEncounterSessionBean,
or add an explicit sessionless/general-privilege branch in
prepareEncounterSessionBean to avoid rebuilding when bean is null and no request
parameter is present.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d38f2bc1-c77c-40f3-a4e3-887d7788fbee

📥 Commits

Reviewing files that changed from the base of the PR and between bd882ed and 53e86fc.

📒 Files selected for processing (1)
  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📜 Review details
⚠️ CI failures not shown inline (10)

GitHub Actions: DCO / DCO Sign-Off: Restore encounter panel privilege enforcement

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1m�[0m
 �[36;1mpr_json=$(curl -fsSL \�[0m
 �[36;1m  -H "Authorization: ***" \�[0m
 �[36;1m  -H "Accept: application/vnd.github+json" \�[0m
 �[36;1m  "https://api.github.com/repos/$REPO/pulls/$PR_NUMBER")�[0m
 �[36;1mpr_commit_count=$(jq -r '.commits' <<< "$pr_json")�[0m
 �[36;1mbase_ref=$(jq -r '.base.ref' <<< "$pr_json")�[0m
 �[36;1m�[0m
 �[36;1mif [ "$pr_commit_count" -gt 250 ]; then�[0m
 �[36;1m  echo "::error::CARLOS EMR DCO check cannot automatically verify $pr_commit_count commits because GitHub's pull request commits API is capped at 250 commits."�[0m

GitHub Actions: DCO / 0_DCO Sign-Off.txt: Restore encounter panel privilege enforcement

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1m�[0m
 �[36;1mpr_json=$(curl -fsSL \�[0m
 �[36;1m  -H "Authorization: ***" \�[0m
 �[36;1m  -H "Accept: application/vnd.github+json" \�[0m
 �[36;1m  "https://api.github.com/repos/$REPO/pulls/$PR_NUMBER")�[0m
 �[36;1mpr_commit_count=$(jq -r '.commits' <<< "$pr_json")�[0m
 �[36;1mbase_ref=$(jq -r '.base.ref' <<< "$pr_json")�[0m
 �[36;1m�[0m
 �[36;1mif [ "$pr_commit_count" -gt 250 ]; then�[0m
 �[36;1m  echo "::error::CARLOS EMR DCO check cannot automatically verify $pr_commit_count commits because GitHub's pull request commits API is capped at 250 commits."�[0m

GitHub Actions: SpotBugs Analysis / SpotBugs + Find Security Bugs: Restore encounter panel privilege enforcement

Conclusion: failure

View job details

##[group]Run export REPORT="target/spotbugs-result.xml"
 �[36;1mexport REPORT="target/spotbugs-result.xml"�[0m
 �[36;1mif [ ! -f "$REPORT" ]; then�[0m
 �[36;1m  echo "::error::No SpotBugs report found at $REPORT"�[0m

GitHub Actions: SpotBugs Analysis / 0_SpotBugs + Find Security Bugs.txt: Restore encounter panel privilege enforcement

Conclusion: failure

View job details

##[group]Run export REPORT="target/spotbugs-result.xml"
 �[36;1mexport REPORT="target/spotbugs-result.xml"�[0m
 �[36;1mif [ ! -f "$REPORT" ]; then�[0m
 �[36;1m  echo "::error::No SpotBugs report found at $REPORT"�[0m

GitHub Actions: Automatic Dependency Submission (Maven) / submit-maven: Automatic Dependency Submission (Maven)

Conclusion: failure

View job details

##[group]Run if command -v mvn &> /dev/null; then
 �[36;1mif command -v mvn &> /dev/null; then�[0m
 �[36;1m  version=$(mvn -q -v)�[0m
 �[36;1m  echo "ignore-wrapper=true" >> "$GITHUB_OUTPUT"�[0m
 �[36;1melif [[ -x ./mvnw ]]; then�[0m
 �[36;1m  version=$(./mvnw -q -v)�[0m
 �[36;1m  echo "ignore-wrapper=false" >> "$GITHUB_OUTPUT"�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::No Maven executable found. Please ensure Maven is installed or a Maven wrapper is present."�[0m

GitHub Actions: Automatic Dependency Submission (Maven) / 0_submit-maven.txt: Automatic Dependency Submission (Maven)

Conclusion: failure

View job details

##[group]Run if command -v mvn &> /dev/null; then
 �[36;1mif command -v mvn &> /dev/null; then�[0m
 �[36;1m  version=$(mvn -q -v)�[0m
 �[36;1m  echo "ignore-wrapper=true" >> "$GITHUB_OUTPUT"�[0m
 �[36;1melif [[ -x ./mvnw ]]; then�[0m
 �[36;1m  version=$(./mvnw -q -v)�[0m
 �[36;1m  echo "ignore-wrapper=false" >> "$GITHUB_OUTPUT"�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::No Maven executable found. Please ensure Maven is installed or a Maven wrapper is present."�[0m

GitHub Actions: SonarCloud Analysis / Build and analyze: Restore encounter panel privilege enforcement

Conclusion: failure

View job details

##[group]Run if [ -z "$SONAR_TOKEN" ]; then
 �[36;1mif [ -z "$SONAR_TOKEN" ]; then�[0m
 �[36;1m  echo "::error::SONAR_TOKEN is not available in this workflow run."�[0m

GitHub Actions: SonarCloud Analysis / Build and analyze: Restore encounter panel privilege enforcement

Conclusion: failure

View job details

Node 20 is being deprecated. This workflow is running with Node 24 by default. If you need to temporarily use Node 20, you can set the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true environment variable. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
 Post job cleanup.
 (node:4023) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
 (Use `node --trace-deprecation ...` to show where the warning was created)
 [command]/usr/bin/tar --posix -cf cache.tzst --exclude cache.tzst -P -C /home/runner/work/carlos/carlos --files-from manifest.txt --use-compress-program zstdmt
 /usr/bin/tar: .sonar-cache/e93874b6711c87049339696a507b9c2b/sonar-cvereachability-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/06f6abcba0e155ab188fa8a3d1d759b8/sonar-java-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/be77970dffb3af77b743873d2acfb1b2/sonar-dbdjavafrontend-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/c6ef680a93f0d72a08c373315db8eed6/sonar-xml-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/1d9ea99bf4667c88719b48067a250a82/sonar-architecturejavafrontend-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/c5530adf25b595550fc6dda8e33d4291/sonar-jasmin-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/08a0b3fe78cd804013c377c24792dba2/sonar-commona3scontextcollector-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/b577e400c3b63c02eafc2c98c9f0f197/sonar-textenterprise-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/bc69b468a9274275cc4e49a3f8135d5d/sonar-architecture-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/38784d6093b56436b7506d76adff42dd/sonar-javaa3scontextcollector-plugin.jar: Cannot open: Permission denied
 /usr/bin/tar: .sonar-cache/f40304095ec8ece109c8...

GitHub Actions: SonarCloud Analysis / Build and analyze: Restore encounter panel privilege enforcement

Conclusion: failure

View job details

 file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
 [WARNING] 20:16:24.780 Invalid character encountered in file /workspace/src/main/webapp/images/icons/valid.png at line 1 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
 [WARNING] 20:16:24.780 Invalid character encountered in file /workspace/src/main/webapp/css/images/sort_both.png at line 1 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
 [WARNING] 20:16:24.811 Invalid character encountered in file /workspace/src/main/webapp/images/2.gif at line 1 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
 [WARNING] 20:16:24.811 Invalid character encountered in file /workspace/src/main/webapp/images/notepad_blank.gif at line 1 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
 [WARNING] 20:16:24.812 Invalid character encountered in file /workspace/src/main/webapp/billing/CA/ON/images/rightarrow.gif at line 1 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
 [WARNING] 20:16:24.816 Invalid character encountered in file /workspace/src/main/webapp/images/icons/132.png at line 1 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
 [WARNING] 20:16:24.825 Invalid character encountered in file /workspace/src/main/resources/oscar/oscarBilling/ca/bc/MSP/mspEditCodes.properties at line 661 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
 [WARNING] 20:16:24.831 Invalid character encountered in file /workspace/src/main/webapp/images/clear.png at line 1 for encoding UTF-8. Please fix file content or configure ...

GitHub Actions: SonarCloud Analysis / 0_Build and analyze.txt: Restore encounter panel privilege enforcement

Conclusion: failure

View job details

##[group]Run if [ -z "$SONAR_TOKEN" ]; then
 �[36;1mif [ -z "$SONAR_TOKEN" ]; then�[0m
 �[36;1m  echo "::error::SONAR_TOKEN is not available in this workflow run."�[0m
🧰 Additional context used
📓 Path-based instructions (9)
**/*.java

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.java: Use io.github.carlos_emr.carlos.* namespace for ALL new code; specific packages: DAOs in io.github.carlos_emr.carlos.commn.dao.*, Models in io.github.carlos_emr.carlos.commn.model.*, exception: ProviderDao in io.github.carlos_emr.carlos.dao.ProviderDao
Use PathValidationUtils for ALL file path operations that include user input
NEVER log or expose PHI (Protected Health Information) in logs or error messages
Use SpringUtils.getBean(ClassName.class) for Spring bean injection in Struts2 actions and non-Spring-managed classes
JavaDoc is required on all public classes and methods; do NOT include @author tags, use @since tags with git log timestamps, use CARLOS copyright header for new files

**/*.java: Keep Java package names as io.github.carlos_emr.carlos.* for backward compatibility - DO NOT change internal package names
Use PathValidationUtils for ALL file path operations to prevent path traversal attacks
PHI (Patient Health Information) must NEVER be logged or exposed in error messages
Use NEW namespace io.github.carlos_emr.carlos.* for ALL new code - avoid old org.oscarehr.* and oscar.* packages
Use sanctioned suffixes for layer naming: *Action, *ViewModelAssembler, *ViewModel, *Loader, *Resolver, *Composer, *Validator, *Persister, *Calculator, *Parser, *ImportService, *Service, *Dao, *Dto, *Command. Never combine two role-suffixes or use forbidden suffixes like *Manager, *Helper, *Utils, *Prep
Public JavaDoc is required for public entrypoint classes and non-obvious public/protected methods; carrier DTOs, getters/setters, and private helpers do not need method-by-method JavaDoc
DO NOT add @author tags in JavaDoc (misleading after Bitbucket→GitHub migration); use git history for accurate dates with @since tags
Inline comments should explain the why: legacy compatibility, security/compliance constraints, file-format offsets, transaction boundaries, and non-obvious control flow. Do not narrate o...

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
**/*.{jsp,java}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use OWASP Encoder for ALL user input output: in JSP use ${e:forHtml(value)} with taglib <%@ taglib uri="owasp.encoder.jakarta" prefix="e" %>, in Java use Encode.forHtml(value), with context-specific variants (forHtmlAttribute, forJavaScript, forCssString, forUri, forUriComponent)

Use OWASP Encoder null-safe CARLOS wrappers for all user input encoding: <carlos:encode> tag, ${carlos:forXxx()} EL functions, or SafeEncode.forXxx() Java methods. DO NOT use <e:forXxx>, ${e:forXxx()}, or Encode.forXxx() directly in new code.

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
**/*.{java,sql}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use parameterized queries ONLY in SQL/HQL operations; never use string concatenation for SQL queries

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
src/**/*.java

📄 CodeRabbit inference engine (GEMINI.md)

src/**/*.java: Keep Java packages as io.github.carlos_emr.carlos.* for backward compatibility - do NOT change these internal namespace paths
Preserve existing copyright headers in modified files and preserve GPL version exactly as-is; never remove existing copyright notices

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
src/main/java/io/github/carlos_emr/carlos/**/*Action.java

📄 CodeRabbit inference engine (GEMINI.md)

src/main/java/io/github/carlos_emr/carlos/**/*Action.java: ALWAYS use PathValidationUtils for ALL file path operations to prevent path traversal attacks
Use the *2Action.java naming convention for ALL new Struts2 actions; extend ActionSupport from org.apache.struts2 (not legacy com.opensymphony.xwork2)

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
{src/main/java/io/github/carlos_emr/carlos/**/*.java,src/main/webapp/**/*.jsp}

📄 CodeRabbit inference engine (GEMINI.md)

PHI (Patient Health Information) must NEVER be logged or exposed in error messages

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
src/main/java/io/github/carlos_emr/carlos/**/*.java

📄 CodeRabbit inference engine (GEMINI.md)

src/main/java/io/github/carlos_emr/carlos/**/*.java: All public classes and methods MUST have comprehensive JavaDoc; do NOT add @author tags; use @since with accurate git history dates; document @param, @return, and @throws tags with specific types
Add inline comments on separate lines (not same-line) for complex logic; include comprehensive comments for non-obvious algorithms or healthcare-specific calculations

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
**/*

📄 CodeRabbit inference engine (CLAUDE.md)

Preserve all existing copyright headers in modified files; do not remove or change GPL version statements

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
**/*.{java,jsp,xml,js,css}

📄 CodeRabbit inference engine (CLAUDE.md)

New files must use CARLOS project header as defined in docs/copyright-header-carlos.md

Files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
🧠 Learnings (11)
📚 Learning: 2026-03-06T23:54:01.319Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 563
File: src/main/java/io/github/carlos_emr/carlos/lab/ca/all/parsers/AlphaHandler.java:59-63
Timestamp: 2026-03-06T23:54:01.319Z
Learning: In the carlos-emr/carlos repository, for Java sources under src/main/java, empty no-arg constructors should have only a minimal one-line JavaDoc. Do not add since or other metadata tags to empty constructors, as they provide no meaningful value. Place documentation efforts in the class-level JavaDoc instead.

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-03-13T21:29:23.775Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 590
File: src/main/java/io/github/carlos_emr/carlos/eform/actions/DisplayImage2Action.java:69-69
Timestamp: 2026-03-13T21:29:23.775Z
Learning: When reviewing Java source files, allow since Javadoc tags to reflect substantial rewrites or major API changes (e.g., security overhaul, new API surface). Do not flag the tag as incorrect solely because the file predates the tagged date. If flagging is considered, verify against commit history or release notes to confirm the tag corresponds to a meaningful change, not the original introduction. Apply this guidance across Java sources in the repository (src/main/java/**/*.java).

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-04-11T22:46:51.202Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1556
File: src/main/java/io/github/carlos_emr/carlos/demographic/dto/DemographicListItemDTO.java:74-179
Timestamp: 2026-04-11T22:46:51.202Z
Learning: In this repository, do not require method-level JavaDoc for plain public JavaBean-style getters and setters in Java files under src/main/java/**/*.java. Their meaning should be covered by field-level documentation and/or the class-level JavaDoc. Only require JavaDoc for non-trivial public methods (e.g., constructors with logic, factory methods, and computed/derived accessors where behavior is not just returning/setting a field). In code reviews, missing JavaDoc on simple getters/setters should not be flagged as a documentation violation.

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-04-11T22:47:04.719Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1556
File: src/main/java/io/github/carlos_emr/carlos/provider/dto/ProviderSummaryDTO.java:57-104
Timestamp: 2026-04-11T22:47:04.719Z
Learning: In this repository, do not require JavaDoc for trivial getter and setter methods. Only JavaDoc for types/classes and for more meaningful public API points is expected—e.g., class-level JavaDoc, constructors, static factory methods, and non-trivial public methods (such as formatting helpers). In code reviews, ignore missing JavaDoc on getters/setters.

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-05-24T01:01:46.756Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1832
File: src/main/java/io/github/carlos_emr/carlos/utility/CachedDateFormats.java:165-216
Timestamp: 2026-05-24T01:01:46.756Z
Learning: For Java sources under src/main/java/**/*.java, follow the repository’s Documentation Standards (CLAUDE.md) regarding Javadoc requirements: do not require mechanical param/return/throws tags for trivial wrapper/delegator public methods that are essentially one-line pass-throughs to a cached or underlying instance (e.g., methods like parseDefault/formatDefault/parse/format in CachedDateFormats.java). Instead, rely on class-level Javadoc to document the overall contracts, including thread-safety, null handling, return value semantics, and any mutation/restoration behavior (such as timezone restoration). Require full per-method Javadoc tag coverage only for non-trivial public methods whose behavior is not obvious from the context/signature.

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-06-25T16:10:08.376Z
Learnt from: Ben-Heerema
Repo: carlos-emr/carlos PR: 3023
File: src/main/java/io/github/carlos_emr/carlos/encounter/oscarConsultationRequest/pageUtil/EConsult2Action.java:287-328
Timestamp: 2026-06-25T16:10:08.376Z
Learning: When reviewing Java code that reconstructs an origin/authority from a `java.net.URI` (e.g., `scheme://host:port`), assume `URI#getHost()` may already return bracketed IPv6 literals such as `[::1]` (not just `::1`). Do not “re-bracket” IPv6 manually when rebuilding the origin from the host returned by `getHost()`. If `getHost()` is `null`, only then apply the malformed-colon/authority fallback rejection logic on that authority-fallback path (the path that runs when `getHost()` is `null`), not on the normal host-based reconstruction path.

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-03-24T17:34:18.508Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 716
File: src/main/java/io/github/carlos_emr/carlos/eform/actions/RtlPreventions2Action.java:155-156
Timestamp: 2026-03-24T17:34:18.508Z
Learning: In this repository (carlos-emr/carlos), treat `demographic_no` as an internal database surrogate integer key (the PK of the demographic table), not as PHI. When reviewing code, do not flag logging or output of `demographic_no` as PHI exposure. PHI to flag includes clinical/demographic data elements like patient name, date of birth, HIN, and address.

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-04-07T02:57:10.703Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1111
File: src/main/java/io/github/carlos_emr/carlos/util/JDBCUtil.java:140-142
Timestamp: 2026-04-07T02:57:10.703Z
Learning: When reviewing this repository’s Java code, flag any unprotected use of `SchemaFactory.newInstance(...)` (e.g., instances that do not restrict `XMLConstants.ACCESS_EXTERNAL_DTD` and `XMLConstants.ACCESS_EXTERNAL_SCHEMA` to empty strings). Recommend migrating those call sites to `io.github.carlos_emr.carlos.utility.XmlUtils.createSecureSchemaFactory()` so XML Schema validation is hardened against external entity/schema access. Known migrated call sites include `IndicatorTemplateHandler.java` and `DemographicExportAction42Action.java` (post-PR `#1111`).

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-04-04T04:11:45.844Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 937
File: src/main/java/io/github/carlos_emr/carlos/documentManager/actions/ManageDocument2Action.java:728-733
Timestamp: 2026-04-04T04:11:45.844Z
Learning: In PRs, when reviewing logging in *Action/*Manager/*Service/*Dao classes, treat the decision to include document filenames/paths in logs as an architectural/policy choice (not a log-sanitization/injection issue). Do not flag logging of sanitized document filenames/paths that have been passed through LogSanitizer as PHI exposure in the context of individual PRs. Limit review scope for “log sanitization” work to CRLF/log-injection prevention (and related injection-safety concerns), not to removing filename/path values from logs, unless there is a separate, enforceable technical reason beyond the injection-sanitization scope.

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-04-05T04:38:53.740Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1000
File: src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementType2Action.java:82-85
Timestamp: 2026-04-05T04:38:53.740Z
Learning: In Struts2 action classes (e.g., `EctAddMeasurementType2Action` and similar), it’s acceptable to handle validation failures by (1) storing errors on the current request via `request.setAttribute("actionErrors", new ArrayList<>(getActionErrors()))` and (2) returning a result name like `"failure"` that forwards/dispatches to the target view (JSP) while preserving request attributes. Do NOT flag this as “errors lost on redirect” because it is not a redirect. Only raise error-loss concerns when `response.sendRedirect(...)` (or equivalent redirect behavior) is used and the code does not persist errors via a session/flash mechanism before returning `NONE`.

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
📚 Learning: 2026-04-05T04:39:00.147Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1000
File: src/main/java/io/github/carlos_emr/carlos/dxresearch/pageUtil/dxResearchUpdateQuickList2Action.java:0-0
Timestamp: 2026-04-05T04:39:00.147Z
Learning: In this Struts2 codebase, when a Struts2 action returns a named result (e.g., "failure") that is mapped in struts XML to another action/JSP, the default result type is `type="dispatcher"` (server-side forward). In this case, original request parameters are preserved and should be available to the forwarded-to target via `StrutsParameter` binding. During code review, do NOT treat missing query/request parameters in the forwarded-to action as data-loss just because they aren’t explicitly listed; only flag missing parameters as a data-loss issue when the code performs a genuine client-side redirect using `response.sendRedirect(...)` and the action returns `NONE` after calling `sendRedirect` (where request parameters are not preserved across the redirect).

Applied to files:

  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java
🪛 ast-grep (0.44.0)
src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java

[warning] 401-401: Regular expression is compiled from a non-literal, possibly user-controlled value. A crafted regex (or input matched against one) can trigger catastrophic backtracking and hang the thread (ReDoS). Use a hardcoded literal pattern, wrap untrusted text with Pattern.quote(...), or validate/length-limit the input and enforce a matching timeout before passing it to Pattern.compile / String.matches / String.replaceAll / String.replaceFirst.
Context: params.replaceAll(regex, "")
Note: [CWE-1333] Inefficient Regular Expression Complexity.

(redos-non-literal-regex-java)


[warning] 147-147: Prevent HTTP parameter pollution
Context: request.getParameter("json")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 160-160: Prevent HTTP parameter pollution
Context: request.getParameter("demographicNo")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 171-171: Prevent HTTP parameter pollution
Context: request.getParameter("demographicNo")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 198-198: Prevent HTTP parameter pollution
Context: request.getParameter("curDate")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 203-203: Prevent HTTP parameter pollution
Context: request.getParameter("providerNo")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 215-215: Prevent HTTP parameter pollution
Context: request.getParameter("curProviderNo")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 240-240: Prevent HTTP parameter pollution
Context: request.getParameter("reason")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 249-249: Prevent HTTP parameter pollution
Context: request.getParameter("encType")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 258-258: Prevent HTTP parameter pollution
Context: request.getParameter("userName")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 274-274: Prevent HTTP parameter pollution
Context: request.getParameter(parameterName)
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 283-283: Prevent HTTP parameter pollution
Context: request.getParameter(parameterName)
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 292-292: Prevent HTTP parameter pollution
Context: request.getParameter(parameterName)
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 301-301: Prevent HTTP parameter pollution
Context: request.getParameter("msgId")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 310-310: Prevent HTTP parameter pollution
Context: request.getParameter("source")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 315-315: Prevent HTTP parameter pollution
Context: request.getParameter(parameterName)
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 336-336: Prevent HTTP parameter pollution
Context: request.getParameter("cmd")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)


[warning] 366-366: Prevent HTTP parameter pollution
Context: request.getParameter("hC")
Note: [CWE-235] Improper Handling of Extra Parameters. Security best practice.

(http-parameter-pollution)

🔇 Additional comments (2)
src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctDisplayAction.java (2)

400-405: The ast-grep ReDoS hint on Line 401 is a false positive: cmd originates from getCmd() (a subclass constant, not request input) and is neutralized via Pattern.quote(...); the resulting \bLITERAL\b pattern has no alternation/nested quantifiers, so catastrophic backtracking is not possible.


142-158: LGTM!

Also applies to: 198-321, 334-398

Copilot AI review requested due to automatic review settings July 3, 2026 20:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

Signed-off-by: Cecil Foubert <Cfoubert0782@conestogac.on.ca>
@CecilFoubert CecilFoubert force-pushed the copilot/fix-privilege-check-override branch from 35d601f to 13a8bd4 Compare July 3, 2026 20:56
@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

@CecilFoubert CecilFoubert marked this pull request as ready for review July 3, 2026 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] EctDisplayEpisode2Action and EctDisplayPregnancy2Action: privilege check result overridden by 'a = true' (claude assist)

6 participants