sc-17011 Bypass facility authorization validation for patient reassig… (#5715)

Gyan-Gupta-Rtsl · web-flow · commit 5b15e86b62e9 · 2025-11-13T15:57:19.000+05:30
Bypass Facility Authorization Validation for Patient Reassignment **Story card:** [sc-17011](https://app.shortcut.com/simpledotorg/story/17011/bypass-facility-authorization-validation-for-patient-reassignment) ## Because The facility authorization validation was blocking patient reassignment. We need to skip this validation when `skip_facility_authorization: true` is set. ## This addresses Adds a flag to bypass facility authorization validation for patient reassignment. ## Test instructions 1. Create or reassign a patient to any facility. 2. Sync the data — the patient should disappear from the current facility. 3. Go to the assigned facility, sync first, and then verify that the patient appears in the list.
diff --git a/app/controllers/api/v3/patients_controller.rb b/app/controllers/api/v3/patients_controller.rb
@@ -47,7 +47,7 @@ def unscope_associations
   end
 
   def merge_if_valid(single_patient_params)
-    validator_params = single_patient_params.merge(request_user_id: current_user.id)
+    validator_params = single_patient_params.merge(request_user_id: current_user.id, skip_facility_authorization: true)
     validator = Api::V3::PatientPayloadValidator.new(validator_params)
 
     if validator.check_invalid?
diff --git a/spec/controllers/api/v3/patients_controller_spec.rb b/spec/controllers/api/v3/patients_controller_spec.rb
@@ -134,6 +134,34 @@ def create_record_list(n, options = {})
         expect(Patient.count).to eq 1
         expect(Patient.first.registration_user).to eq request_user
       end
+
+      context "when skip_facility_authorization is set in merge_if_valid" do
+        it "allows syncing patients with assigned facility from a different facility group" do
+          registration_facility_group = create(:facility_group)
+          assigned_facility_group = create(:facility_group)
+
+          registration_facility = create(:facility, facility_group: registration_facility_group)
+          assigned_facility = create(:facility, facility_group: assigned_facility_group)
+
+          patient = build(
+            :patient,
+            registration_facility: registration_facility,
+            assigned_facility: assigned_facility
+          )
+
+          patient_payload = build_patient_payload(patient).merge(
+            registration_facility_id: registration_facility.id,
+            assigned_facility_id: assigned_facility.id
+          )
+
+          post(:sync_from_user, params: {patients: [patient_payload]}, as: :json)
+
+          expect(response).to have_http_status(200)
+          expect(Patient.count).to eq 1
+          expect(Patient.first.registration_facility).to eq registration_facility
+          expect(Patient.first.assigned_facility).to eq assigned_facility
+        end
+      end
     end
 
     describe "updates patients" do
diff --git a/spec/validators/api/v3/patient_payload_validator_spec.rb b/spec/validators/api/v3/patient_payload_validator_spec.rb
@@ -128,6 +128,21 @@ def new_patient_payload(attrs = {})
         expect(valid_payload.valid?).to be true
         expect(invalid_payload.valid?).to be false
       end
+
+      context "when skip_facility_authorization is true" do
+        it "skips assigned facility authorization validation" do
+          invalid_facility_payload = build_patient_payload(patient).deep_merge(
+            "assigned_facility_id" => invalid_facility.id,
+            "request_user_id" => user.id,
+            "skip_facility_authorization" => true
+          )
+          payload = Api::V3::PatientPayloadValidator.new(invalid_facility_payload)
+          payload.validate
+
+          expect(payload.valid?).to be true
+          expect(payload.errors[:assigned_facility_does_not_belong_to_user]).to be_blank
+        end
+      end
     end
 
     context "when schema validations are disabled" do
