All bundles are accepted with all scope
When POSTing a bundle like this (in this case it includes a GET/POST/DELETE) I would expect it be only possible with the correct scope (or otherwise 403).
Request
url:
https://nvi.test.gf.irealisatie.nl/v0.2/api/fhir
example body:
{
"resourceType": "Bundle",
"id": "8056af80-b381-4acb-a132-0ef19bdc5b1e",
"total": 3,
"entry": [
{
"request": {
"method": "POST",
"url": "List"
},
"resource": {
"resourceType": "List",
"extension": [
{
"valueReference": {
"identifier": {
"system": "http://fhir.nl/fhir/NamingSystem/ura",
"value": "90000106"
}
},
"url": "http://minvws.github.io/generiekefuncties-docs/StructureDefinition/nl-gf-localization-custodian"
}
],
"subject": {
"identifier": {
"system": "http://minvws.github.io/generiekefuncties-docs/NamingSystem/nvi-identifier",
"value": "XXX"
}
},
"source": {
"identifier": {
"system": "urn:ietf:rfc:3986",
"value": "EHR-SYS-2024-001"
},
"type": "Device"
},
"status": "current",
"mode": "working",
"emptyReason": {
"coding": [
{
"code": "withheld",
"system": "http://terminology.hl7.org/CodeSystem/list-empty-reason"
}
]
},
"code": {
"coding": [
{
"code": "Specimen",
"system": "http://minvws.github.io/generiekefuncties-docs/CodeSystem/nl-gf-data-categories-cs",
"display": "Medicatieafspraak"
}
]
}
}
},
{
"request": {
"method": "GET",
"url": "List?patient.identifier=XX|YY&code=Genomics"
}
},
{
"request": {
"method": "GET",
"url": "List/1edc96d4-c84a-46f7-9c5d-a3118cb9966a"
}
},
{
"request": {
"method": "DELETE",
"url": "List/1edc96d4-c84a-46f7-9c5d-a3118cb9966a"
}
}
],
"type": "transaction"
}
Response
status: 200
body:
{
"resourceType": "Bundle",
"type": "searchset",
"entry": [
{
"response": {
"status": "400",
"outcome": {
"resourceType": "OperationOutcome",
"issue": [
{
"severity": "error",
"code": "error",
"details": {
"text": "Bundle.entry.0: Invalid pseudonym in subject:identifier"
}
}
]
}
}
},
{
"response": {
"status": "422",
"outcome": {
"resourceType": "OperationOutcome",
"issue": [
{
"severity": "error",
"code": "required",
"details": {
"text": "Bundle.entry.1.request: invalid url parameter: 1 validation error for LocalizationListParams\n`patient.identifier`\n Extra inputs are not permitted [type=extra_forbidden, input_value='XX|YY', input_type=str]\n For further information visit https://errors.pydantic.dev/2.13/v/extra_forbidden"
}
}
]
}
}
},
{
"response": {
"status": "404",
"outcome": {
"resourceType": "OperationOutcome",
"issue": [
{
"severity": "error",
"code": "error",
"details": {
"text": "Bundle.entry.2: Record not found"
}
}
]
}
}
},
{
"response": {
"status": "500",
"outcome": {
"resourceType": "OperationOutcome",
"issue": [
{
"severity": "error",
"code": "error",
"details": {
"text": "Bundle.entry.3: Record not found"
}
}
]
}
}
}
]
}
The request is incorrect, but my point is: why is it returning a 400/422/404/500 when the scope is incorrect?
I tried this with different scopes and all responses are the same:
- nvi:localize
- nvi:create
- nvi:read
- nvi:delete
All bundles are accepted with all scope
When POSTing a bundle like this (in this case it includes a GET/POST/DELETE) I would expect it be only possible with the correct scope (or otherwise 403).
Request
url:
https://nvi.test.gf.irealisatie.nl/v0.2/api/fhirexample body:
Response
status: 200
body:
The request is incorrect, but my point is: why is it returning a 400/422/404/500 when the scope is incorrect?
I tried this with different scopes and all responses are the same: