NRL-1205 add negative tests for category search without correct perms

katebobyn-nhs · katebobyn-nhs · commit aba621417a7b · 2025-06-03T09:03:14.000+01:00
diff --git a/tests/features/consumer/searchDocumentReference-failure.feature b/tests/features/consumer/searchDocumentReference-failure.feature
@@ -162,23 +162,14 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
       }
       """
 
-  Scenario: Search gives 403 if no permission
+  Scenario: Search rejects request if the organisation has no registered pointer types but uses category filter
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
-    And a DocumentReference resource exists with values:
-      | property    | value                             |
-      | id          | 8FW23-1114567890-SearchDocRefTest |
-      | subject     | 9278693472                        |
-      | status      | current                           |
-      | type        | 736253002                         |
-      | category    | 734163000                         |
-      | contentType | application/pdf                   |
-      | url         | https://example.org/my-doc.pdf    |
-      | custodian   | 8FW23                             |
-      | author      | 8FW23                             |
-    When consumer 'Z26' searches for DocumentReferences with parameters:
-      | parameter | value      |
-      | subject   | 9278693472 |
-      | type      | 736253002  |
+    And the organisation 'RX898' is authorised to access pointer types:
+      | system | value |
+    When consumer 'RX898' searches for DocumentReferences with parameters:
+      | parameter | value                             |
+      | subject   | 9278693472                        |
+      | category  | http://snomed.info/sct\|734163000 |
     Then the response status code is 403
     And the response is an OperationOutcome with 1 issue
     And the OperationOutcome contains the issue:
@@ -193,15 +184,53 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
             "display": "Access has been denied to process this request"
           }]
         },
-        "diagnostics": "Your organisation 'Z26' does not have permission to access this resource. Contact the onboarding team."
+        "diagnostics": "Your organisation 'RX898' does not have permission to access this resource. Contact the onboarding team."
       }
       """
 
-  Scenario: Search rejects request if the organisation has no registered pointer types
+  Scenario: Search returns no results if category filter is used without any relevant type permissions
     Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And the organisation 'RX898' is authorised to access pointer types:
+      | system                 | value     |
+      | http://snomed.info/sct | 736253002 |
+    And a DocumentReference resource exists with values:
+      | property    | value                            |
+      | id          | 8FW23-537854543-SearchDocRefTest |
+      | subject     | 9278693472                       |
+      | status      | current                          |
+      | type        | 1363501000000100                 |
+      | category    | 1102421000000108                 |
+      | contentType | application/pdf                  |
+      | url         | https://example.org/my-doc.pdf   |
+      | custodian   | 8FW23                            |
+      | author      | 8FW23                            |
     When consumer 'RX898' searches for DocumentReferences with parameters:
+      | parameter | value                                    |
+      | subject   | 9278693472                               |
+      | category  | http://snomed.info/sct\|1102421000000108 |
+    Then the response status code is 200
+    And the response is a searchset Bundle
+    And the Bundle has a self link matching 'DocumentReference?subject:identifier=https://fhir.nhs.uk/Id/nhs-number|9278693472&category=http://snomed.info/sct|1102421000000108'
+    And the Bundle has a total of 0
+    And the Bundle has 0 entries
+
+  Scenario: Search gives 403 if no permission
+    Given the application 'DataShare' (ID 'z00z-y11y-x22x') is registered to access the API
+    And a DocumentReference resource exists with values:
+      | property    | value                             |
+      | id          | 8FW23-1114567890-SearchDocRefTest |
+      | subject     | 9278693472                        |
+      | status      | current                           |
+      | type        | 736253002                         |
+      | category    | 734163000                         |
+      | contentType | application/pdf                   |
+      | url         | https://example.org/my-doc.pdf    |
+      | custodian   | 8FW23                             |
+      | author      | 8FW23                             |
+    When consumer 'Z26' searches for DocumentReferences with parameters:
       | parameter | value      |
       | subject   | 9278693472 |
+      | type      | 736253002  |
     Then the response status code is 403
     And the response is an OperationOutcome with 1 issue
     And the OperationOutcome contains the issue:
@@ -216,7 +245,7 @@ Feature: Consumer - searchDocumentReference - Failure Scenarios
             "display": "Access has been denied to process this request"
           }]
         },
-        "diagnostics": "Your organisation 'RX898' does not have permission to access this resource. Contact the onboarding team."
+        "diagnostics": "Your organisation 'Z26' does not have permission to access this resource. Contact the onboarding team."
       }
       """
 
