Access Policies for Websocket Subscriptions #4385

rahul1 · 2024-04-16T22:50:05Z

Problem

Patient user creates a websocket Subscription resource to recieve incoming chats
Admin would like to create an access policy to prevent Patient user from manipulating other Subscription resources
The following policy won't work, because Subscriptions are not added to a Patient compartment

    {
      resourceType: 'Subscription',
      criteria: 'Subscription?type=websocket&_compartment=%profile',
    }

Add an author search param (only to Subscriptions) to every resource that points to meta.author. Then we can restrict access as such:

    {
      resourceType: 'Subscription',
      criteria: 'Subscription?type=websocket&author=%profile',
    }

Add Subscriptions to the Patient compartment (we would have to handle the case of Practitioner users seperately)
???

The text was updated successfully, but these errors were encountered:

rahul1 added the subscriptions Features and fixes related to subscriptions label Apr 16, 2024

rahul1 assigned ThatOneBro Apr 30, 2024

rahul1 added this to the May 31st, 2024 milestone Apr 30, 2024

ThatOneBro mentioned this issue May 11, 2024

feat(Subscription): add author as a SearchParameter #4540

Merged

ThatOneBro closed this as completed in #4540 May 14, 2024