Skip to content

fix: standardize SecurityException messages to canonical format in encounter and casemgmt actions#3119

Open
bellaayang wants to merge 1 commit into
carlos-emr:developfrom
bellaayang:fix-issue-2598
Open

fix: standardize SecurityException messages to canonical format in encounter and casemgmt actions#3119
bellaayang wants to merge 1 commit into
carlos-emr:developfrom
bellaayang:fix-issue-2598

Conversation

@bellaayang

@bellaayang bellaayang commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Description

Standardizes non-canonical SecurityException messages across encounter and case management action classes to match the format mandated by CLAUDE.md:

missing required sec object (_objectname)

Changes made:

  • Replaced "missing required security object" (spelled out) with the abbreviated "sec object" form
  • Added missing parentheses around object names where absent
  • Fixed colon separator to parentheses in EctInsertTemplate2Action
  • Replaced "Access Denied!" placeholder messages in 15 measurement admin actions with the correct canonical format, using the object name from the nearby hasPrivilege() check as the source of truth

Related Issues

Fixes #2598

How Was This Tested?

Verified with grep -rn "missing required security object" that all in-scope files no longer contain non-canonical messages. No functional logic was changed.

Checklist

  • My commits are signed off for the DCO (git commit -s)
  • My commits follow Conventional Commits format, or I've written clear commit messages and will use the format next time
  • I have not included any patient data (PHI) in this PR
  • I have added tests for new functionality, or this change doesn't need new tests
  • I have read the contributing guide

Summary by Sourcery

Enhancements:

  • Align security-related exception messages with the canonical format, including consistent use of abbreviated "sec object" wording and parenthesized object names in encounter and case management actions.

Summary by cubic

Standardized SecurityException messages to the canonical format "missing required sec object (...)" across encounter and case management actions for consistent error handling. No behavior changes.

  • Refactors
    • Replaced non-canonical strings and "Access Denied!" placeholders with the canonical format in encounter, consultation, and measurement admin actions (e.g., _demographic, _con, _admin, _admin.consult, _newCasemgmt.templates).
    • Normalized formatting: added parentheses around object names and changed colon separators to parentheses where needed.

Written for commit 04d767f. Summary will update on new commits.

Review in cubic

…counter and casemgmt actions

Signed-off-by: bellaayang <jingjingyjh@126.com>
@bellaayang bellaayang requested a review from yingbull as a code owner July 4, 2026 02:07
@sourcery-ai

sourcery-ai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Standardizes all SecurityException messages in relevant encounter and case management actions to the canonical format mandated by CLAUDE.md, without changing any security logic or privilege checks.

File-Level Changes

Change Details Files
Align SecurityException messages in case management actions to canonical "missing required sec object (_objectname)" format.
  • Replace "missing required security object" phrasing with "missing required sec object" in demographic privilege checks.
  • Ensure object names are wrapped in parentheses in SecurityException messages.
  • Keep existing privilege checks and control flow intact.
src/main/java/io/github/carlos_emr/carlos/casemgmt/web/CaseManagementEntry2Action.java
src/main/java/io/github/carlos_emr/carlos/casemgmt/web/ClientImage2Action.java
Replace generic or malformed SecurityException messages in consultation request actions with canonical text that includes the correct security object name.
  • Update messages that lacked an object name to include the appropriate object from hasPrivilege calls (e.g., _con, _admin.consult).
  • Convert plain text or unwrapped object names to the canonical parenthesized format.
  • Leave request handling and privilege evaluation logic unchanged.
src/main/java/io/github/carlos_emr/carlos/encounter/oscarConsultationRequest/config/pageUtil/ConsultationLookup2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarConsultationRequest/config/pageUtil/CpsoSearch2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarConsultationRequest/pageUtil/ConsultationClinicalData2Action.java
Standardize measurement admin action SecurityException messages by replacing "Access Denied!" placeholders and non-canonical text with the mandated format.
  • Replace "Access Denied!" placeholder messages with "missing required sec object (_admin)" in all measurement admin actions.
  • Update any remaining "missing required security object" messages to use the abbreviated "sec object" phrasing.
  • Ensure object names and multi-object variants (e.g., _admin or _admin.measurements) are consistently wrapped in parentheses.
  • Preserve existing branching based on privilege checks and return values.
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctDefineNewMeasurementGroup2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupStyleSheetList2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementGroup2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementMap2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementType2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasuringInstruction2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctDeleteMeasurementStyleSheet2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctDeleteMeasurementTypes2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctEditMeasurementGroup2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctEditMeasurementStyle2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctRemoveMeasurementMap2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupAddMeasurementGroup2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupAddMeasurementStyleSheet2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupDisplayMeasurementStyleSheet2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupDisplayMeasurementTypes2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupEditMeasurementGroup2Action.java
src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupGroupList2Action.java
Fix non-canonical SecurityException message format in encounter template insertion action.
  • Change colon-separated message to use parentheses around the object name: "missing required sec object (_newCasemgmt.templates)".
  • Retain existing privilege check against _newCasemgmt.templates and subsequent request handling.
src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctInsertTemplate2Action.java

Assessment against linked issues

Issue Objective Addressed Explanation
#2598 Update the SecurityException message in ClientImage2Action to use the canonical format: "missing required sec object (_demographic)".
#2598 Update the SecurityException message in EctInsertTemplate2Action to use the canonical format: "missing required sec object (_newCasemgmt.templates)".

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • Bug Fixes
    • Standardized permission-denied error messages across case management, consultation, measurement, and template screens.
    • Users now see clearer, consistent messaging when access is blocked due to missing required privileges.
    • No workflow, validation, or access rules were changed.

Walkthrough

This PR standardizes SecurityException messages thrown across 24 action classes in casemgmt, consultation request, and measurement modules. Messages previously using "Access Denied!", "security object" wording, or colon separators are unified to the canonical format "missing required sec object (_objectname)".

Changes

SecurityException Message Standardization

Layer / File(s) Summary
Case management and client image privilege messages
.../casemgmt/web/CaseManagementEntry2Action.java, .../casemgmt/web/ClientImage2Action.java
Messages for missing _demographic privilege changed from "security object" to "sec object" wording.
Consultation request privilege messages
.../oscarConsultationRequest/config/pageUtil/ConsultationLookup2Action.java, .../CpsoSearch2Action.java, .../oscarConsultationRequest/pageUtil/ConsultationClinicalData2Action.java
Messages for missing _con and _admin.consult privileges updated to canonical format.
Measurement group/type/map admin privilege messages
.../oscarMeasurements/pageUtil/EctAddMeasurementGroup2Action.java, EctAddMeasurementMap2Action.java, EctAddMeasurementType2Action.java, EctAddMeasuringInstruction2Action.java, EctDefineNewMeasurementGroup2Action.java, EctDeleteMeasurementTypes2Action.java, EctEditMeasurementGroup2Action.java, EctRemoveMeasurementMap2Action.java
Messages changed from "Access Denied!" variants to "missing required sec object (_admin)".
Measurement stylesheet and setup admin privilege messages
.../oscarMeasurements/pageUtil/EctDeleteMeasurementStyleSheet2Action.java, EctEditMeasurementStyle2Action.java, EctSetupAddMeasurementGroup2Action.java, EctSetupAddMeasurementStyleSheet2Action.java, EctSetupDisplayMeasurementStyleSheet2Action.java, EctSetupDisplayMeasurementTypes2Action.java, EctSetupEditMeasurementGroup2Action.java, EctSetupGroupList2Action.java, EctSetupStyleSheetList2Action.java
Authorization failure messages standardized to the canonical "sec object" format.
Template insertion privilege message
.../encounter/pageUtil/EctInsertTemplate2Action.java
Message for missing _newCasemgmt.templates privilege changed from colon-separated to parenthesized "sec object" format.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • carlos-emr/carlos#2820: Same standardization of SecurityException messages to "missing required sec object (...)" format, applied to a different action class.

Suggested labels: Bug fix, Review effort [1-5]: 4

Suggested reviewers: yingbull

Poem

A hop through code, from field to field,
Where "Access Denied!" once concealed,
Now every message speaks as one:
"missing required sec object" — done!
Twenty-four burrows, tidy and neat,
This rabbit's proud of a job complete. 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the main change: standardizing SecurityException messages to the canonical format.
Description check ✅ Passed The description matches the code changes and broadly explains the security-message standardization.
Linked Issues check ✅ Passed The linked issue's two message-format fixes are present in ClientImage2Action and EctInsertTemplate2Action.
Out of Scope Changes check ✅ Passed The extra message updates stay on the same canonical-format task and are not unrelated to the PR objective.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In EctAddMeasurementType2Action, the new SecurityException line is missing a terminating semicolon, which will prevent the class from compiling; please add the semicolon.
  • For actions that check multiple security objects (e.g., _admin and _admin.measurements in the measurement stylesheet actions), ensure the updated exception messages consistently and accurately reflect all objects being checked, similar to the wording used in EctSetupAddMeasurementStyleSheet2Action.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `EctAddMeasurementType2Action`, the new `SecurityException` line is missing a terminating semicolon, which will prevent the class from compiling; please add the semicolon.
- For actions that check multiple security objects (e.g., `_admin` and `_admin.measurements` in the measurement stylesheet actions), ensure the updated exception messages consistently and accurately reflect all objects being checked, similar to the wording used in `EctSetupAddMeasurementStyleSheet2Action`.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request standardizes security exception messages across multiple CARLOS EMR Struts2 actions to consistently use the format "missing required sec object (...)". However, several critical compilation errors were introduced during these changes: a missing semicolon in EctAddMeasurementType2Action.java, and missing closing braces for else blocks in both EctDefineNewMeasurementGroup2Action.java and EctSetupStyleSheetList2Action.java.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.


} else {
throw new SecurityException("Access Denied!"); //missing required sec object (_admin)
throw new SecurityException("missing required sec object (_admin)")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

A semicolon is missing at the end of the statement, which will cause a compilation error.

Suggested change
throw new SecurityException("missing required sec object (_admin)")
throw new SecurityException("missing required sec object (_admin)");

Comment on lines 96 to 98
} else {
throw new SecurityException("Access Denied!"); //missing required sec object (_admin)
}
throw new SecurityException("missing required sec object (_admin)");
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The closing brace } for the else block was accidentally removed, which will cause a syntax/compilation error.

Suggested change
} else {
throw new SecurityException("Access Denied!"); //missing required sec object (_admin)
}
throw new SecurityException("missing required sec object (_admin)");
}
} else {
throw new SecurityException("missing required sec object (_admin)");
}
}

Comment on lines 68 to 70
} else {
throw new SecurityException("Access Denied!"); //missing required sec object (_admin) or (_admin.measurements)
}
throw new SecurityException("missing required sec object (_admin)");
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The closing brace } for the else block was accidentally removed, which will cause a syntax/compilation error.

        } else {
            throw new SecurityException("missing required sec object (_admin)");
        }
    }

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementType2Action.java`:
- Line 104: The throw statement in EctAddMeasurementType2Action has a syntax
error because the SecurityException line is missing its terminating semicolon.
Update the exception throw in the affected handler so the statement is valid
Java and the class compiles cleanly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b3e36e93-65d3-40e1-80ed-372db40ea289

📥 Commits

Reviewing files that changed from the base of the PR and between 65f35ad and 04d767f.

📒 Files selected for processing (23)
  • src/main/java/io/github/carlos_emr/carlos/casemgmt/web/CaseManagementEntry2Action.java
  • src/main/java/io/github/carlos_emr/carlos/casemgmt/web/ClientImage2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarConsultationRequest/config/pageUtil/ConsultationLookup2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarConsultationRequest/config/pageUtil/CpsoSearch2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarConsultationRequest/pageUtil/ConsultationClinicalData2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementGroup2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementMap2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementType2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasuringInstruction2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctDefineNewMeasurementGroup2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctDeleteMeasurementStyleSheet2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctDeleteMeasurementTypes2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctEditMeasurementGroup2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctEditMeasurementStyle2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctRemoveMeasurementMap2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupAddMeasurementGroup2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupAddMeasurementStyleSheet2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupDisplayMeasurementStyleSheet2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupDisplayMeasurementTypes2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupEditMeasurementGroup2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupGroupList2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctSetupStyleSheetList2Action.java
  • src/main/java/io/github/carlos_emr/carlos/encounter/pageUtil/EctInsertTemplate2Action.java


} else {
throw new SecurityException("Access Denied!"); //missing required sec object (_admin)
throw new SecurityException("missing required sec object (_admin)")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Add the missing semicolon.

This throw statement will not compile as written.

Fix
-            throw new SecurityException("missing required sec object (_admin)")
+            throw new SecurityException("missing required sec object (_admin)");
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
throw new SecurityException("missing required sec object (_admin)")
throw new SecurityException("missing required sec object (_admin)");
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/main/java/io/github/carlos_emr/carlos/encounter/oscarMeasurements/pageUtil/EctAddMeasurementType2Action.java`
at line 104, The throw statement in EctAddMeasurementType2Action has a syntax
error because the SecurityException line is missing its terminating semicolon.
Update the exception throw in the affected handler so the statement is valid
Java and the class compiles cleanly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Maintenance] SecurityException messages in ClientImage2Action and EctInsertTemplate2Action use non-canonical format (claude assist)

1 participant