search

hapifhir / hapi-fhir

🔥 HAPI FHIR - Java API for HL7 FHIR Clients and Servers
http://hapifhir.io
Apache License 2.0
2.05k stars 1.33k forks source link

?_source= search doesn't respect multi-tenancy partition #2853

Open akeroyd opened 3 years ago

akeroyd commented 3 years ago

NOTE: Before filing a ticket, please see the following URL: https://github.com/hapifhir/hapi-fhir/wiki/Getting-Help

Describe the bug Similar issue to https://github.com/hapifhir/org.hl7.fhir.core/issues/392 Data can leak from one partition to another when using the _source search parameter.

To Reproduce Steps to reproduce the behavior:

  1. Start a server with partitioning enabled
docker run -p 8080:8080 -e hapi.fhir.partitioning.allow_references_across_partitions=false -e hapi.fhir.partitioning.partitioning_include_in_search_hashes=false hapiproject/hapi:latest
  1. Create a partition aaa
curl -d '{"resourceType": "Parameters","parameter": [{"name": "id","valueInteger": 1},{"name": "name","valueCode": "aaa"}]}' -H "Content-Type: application/json" -X POST http://localhost:8080/fhir/default/\$partition-management-create-partition
  1. Create a partition bbb
curl -d '{"resourceType": "Parameters","parameter": [{"name": "id","valueInteger": 2},{"name": "name","valueCode": "bbb"}]}' -H "Content-Type: application/json" -X POST http://localhost:8080/fhir/default/\$partition-management-create-partition
  1. Create a patient in aaa partition
curl -d '{"resourceType": "Patient","name": [{ "family": "Aaronson" }], "meta": { "source": "http://acme.org/aaa" }}' -H "Content-Type: application/json" -X POST http://localhost:8080/fhir/aaa/Patient
  1. Search for all patients in bbb partition
curl http://localhost:8080/fhir/bbb/Patient
# 0 results found
  1. Search for source=http://acme.org/aaa in bbb partition
curl http://localhost:8080/fhir/bbb/Patient?_source=http%3A%2F%2Facme.org%2Faaa
# 1 result found from `aaa` partition

Expected behavior No results should be found, as no patient matching that search exists in the tenant.

Environment (please complete the following information):

Additional context I've checked most of the search parameters for Patient, and _source is the only one not working as expected.

sebapenna commented 1 month ago

Same issue here! Any updates on this?