Merge pull request #178 from NHSDigital/dev/NPA-4699/Align-Blocked-Resources-With-Confluence-Table

ellie-bound1-NHSD · web-flow · commit 56eef9da1d23 · 2025-04-07T15:07:51.000+01:00
NPA-4699: Align blocked resources for different auths with confluence table
diff --git a/proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py b/proxies/live/apiproxy/resources/py/check-app-enabled-endpoint.py
@@ -1,14 +1,23 @@
 path_suffix = flow.getVariable("proxy.pathsuffix").lower()
 request_verb = flow.getVariable("request.verb").lower()
 
-blocked_resources = [
-    ("/fhir/r4/relatedperson", "get"),
-    ("/fhir/r4/questionnaireresponse", "post"),
-]
-
 auth_forbidden = False
-for blocked_resources in blocked_resources:
-    if blocked_resources[0] in path_suffix and blocked_resources[1] == request_verb:
-        auth_forbidden = True
+if request_verb == "patch":
+    # Check blocked endpoint is within path suffix i.e. ignore path parameters
+    blocked_resources = ["/fhir/r4/consent"]
+    for blocked_resource in blocked_resources:
+        if blocked_resource in path_suffix:
+            auth_forbidden = True
+else:
+    # Check blocked endpoint is equal to path suffix
+    requested_resource = (path_suffix, request_verb)
+    blocked_resources = [
+        ("/fhir/r4/relatedperson", "get"),
+        ("/fhir/r4/questionnaire", "get"),
+        ("/fhir/r4/questionnaireresponse", "post"),
+        ("/fhir/r4/questionnaireresponse", "get"),
+        ("/fhir/r4/consent", "post"),
+    ]
+    auth_forbidden = requested_resource in blocked_resources
 
 flow.setVariable("app_auth_forbidden", auth_forbidden)
diff --git a/proxies/live/apiproxy/resources/py/check-user-enabled-endpoint.py b/proxies/live/apiproxy/resources/py/check-user-enabled-endpoint.py
@@ -2,16 +2,18 @@
 path_suffix = flow.getVariable("proxy.pathsuffix").lower()
 request_verb = flow.getVariable("request.verb").lower()
 
+requested_resource = (path_suffix, request_verb)
+
 if auth_level == "p9":
-    blocked_resources = [("/fhir/r4/consent", "post"), ("/fhir/r4/consent", "patch")]
+    blocked_resources = [
+        ("/fhir/r4/questionnaire", "get"),
+        ("/fhir/r4/consent", "post"),
+    ]
 elif auth_level == "all3":
     blocked_resources = [("/fhir/r4/questionnaireresponse", "post")]
 else:
     blocked_resources = []
 
-auth_forbidden = False
-for blocked_resources in blocked_resources:
-    if blocked_resources[0] in path_suffix and blocked_resources[1] == request_verb:
-        auth_forbidden = True
+auth_forbidden = requested_resource in blocked_resources
 
 flow.setVariable("user_auth_forbidden", auth_forbidden)
