Bug #604
closedsecurity constraints for rest controller are insufficient
Description
Please revise rest controllers security restrictions. E.g. it is possible to retrieve all patients by REST API if institution is absent in REST API call. Currently fixed by workaround at PatientRecordController:
@PreAuthorize("hasRole('" + SecurityConstants.ROLE_ADMIN + "') OR (institutionKey != null )")
public List<PatientRecordDto> getRecords(@RequestParam(value = "institution", required = false) String institutionKey) {
...
}
- java tests of rest-controllers security should be added to confirm that it works correctly