pg_fhir_filter/authorization.polar at main · patientsknowbest/pg_fhir_filter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Typical 'Medical data' points (Immunization, MedicationStatement etc)

# Pass in subject and sourceIds separately. Polar isn't quite smart enough to substitute known parts of
# Variables passed in, so we use multiple varables representing things that may or may not be known upfront
allow(patient: Patient, "read", resource: Immunization, subject: Patient, sourceIds) if
    # bind these here so that we only have to look at the bindings for 'resource' in the results
    resource.patient = subject and
    resource.sourceIds = sourceIds and
    access_frozen_check(patient) and
        self_check(patient, subject);

allow(carer: RelatedPerson, "read", resource: Immunization, subject: Patient, sourceIds) if
    # bind these here so that we only have to look at the bindings for 'resource' in the results
    resource.patient = subject and
    resource.sourceIds = sourceIds and
    access_frozen_check(carer, subject) and (
        source_check(carer, sourceIds) or
        consent_check(carer, resource, subject));

allow(practitioner: Practitioner, "read", resource: Immunization, subject: Patient, sourceIds) if
    # bind these here so that we only have to look at the bindings for 'resource' in the results
    resource.patient = subject and
    resource.sourceIds = sourceIds and
    access_frozen_check(practitioner, subject) and (
        source_check(practitioner, sourceIds) or
            consent_check(practitioner, resource, subject));

# Access frozen #
access_frozen_check(patient: Patient) if
    not patient.isAccessFrozen;

access_frozen_check(carer: RelatedPerson, subject: Patient) if
    not carer.isAccessFrozen and
        not subject.isAccessFrozen;

access_frozen_check(practitioner: Practitioner, subject: Patient) if
    practitioner.isTeamPro or
    	not subject.isAccessFrozen;

# self access #
self_check(patient: Patient, subject: Patient) if
    subject.id == patient.id;

# source access (AKA team data view) #
source_check(carer: RelatedPerson, sourceIds) if
    carer.id in sourceIds;

source_check(practitioner: Practitioner, sourceIds) if
    practitioner.id in sourceIds or
        practitioner.teamId in sourceIds;

# consent access #
consent_check(carer: RelatedPerson, resource: PatientResource, subject: Patient) if
    sharing_disabled_check(subject) and (
    	carerId := carer.id and
        resource.privacyFlag in subject.consents.(carerId));

consent_check(practitioner: Practitioner, resource: PatientResource, subject: Patient) if
    sharing_disabled_check(subject) and
        (practitioner.isBtgActive or (
	    practitionerId := practitioner.id and
	    practitionerTeamId := practitioner.teamId and
            (resource.privacyFlag in subject.consents.(practitionerId)
	        or resource.privacyFlag in subject.consents.(practitionerTeamId))));

sharing_disabled_check(subject: Patient) if
    not subject.isSharingDisabled;

# More complex Communication type
# allow(actor: Actor, operation: String, communication: Communication) if
#     access_frozen_check(actor, communication) and
#     private_communication_check(actor, communication) and
#     draft_communication_check(actor, communication) and (
#        self_check(actor, communication) or
#        source_check(actor, communication) or
#        consent_check(actor, communication) or
#        communication_participant_check(actor, communication));
#
# private_communication_check(actor: Actor, communication: Communication) if
# # // TODO: MFA - Semantics of private conversations, can the team access?
# # what about system users? Current rules say no
#     not communication.private or
#         communication.sender = actor
#             or communication.recipients.contains(actor);
#
# draft_communication_check(actor: Actor, communication: Communication) if
#     not communication.draft or
#         communication.sender = actor;
#
# # // TODO: MFA - This is only necessary if it's possible to have someone as
# # a participant when they don't have consent for the privacy flag of the
# # conversation.
# communication_participant_check(actor: Actor, communication: Communication) if
#     communication.participants.contains(actor);