https://e-health-ua.atlassian.net/wiki/spaces/EN/pages/17591304241 (remove the link block before publishing the document)

1 Properties of a REST API method document
2 Purpose
3 Logic
4 Configuration parameters
5 Dictionaries
6 Input parameters
7 Request structure
8 Headers
9 Request data validation
10 Authorize
- 10.1 Validate legal entity
- 10.2 Validate patient
- 10.3 Validate User
- 10.4 Request validation
11 Processing
12 Response structure examples
13 HTTP status codes
14 Post-processing processes
15 Technical modules where the method is used

Properties of a REST API method document

Document type	Метод REST API
Document title	[Document status] REST API [Назва методу] [ID методу]
Guideline ID	GUI-0011
Author	@
Document version	1
Document status	DRAFT
Date of creation	ХХ.ХХ.ХХХХ (дата фінальної версії документа – RC або PROD)
Date of update	ХХ.ХХ.ХХХХ (дата зміни версії)
Method API ID	API-007-009-001-0305
Microservices (namespace)	ME
Component	Procedure
Component ID	COM-007-009
Link на API-специфікацію	https://medicaleventsmisapi.docs.apiary.io/#reference/medical-events/procedures/cancel-procedure
Resource	{{host}}/api/patients/{{person_id}}/procedures/{{id}}/actions/cancel
Scope	procedure:write
Protocol type	REST
Request type	PATCH
Sync/Async	Async
Public/Private	Public

Purpose

This WS allows to cancel procedure in case they were entered in error.

Logic

This WS allows to cancel existing procedure and change its status to entered_in_error in case of any mistake. The new correct procedure could be created instead. Method receives signed message (pkcs7) that consists of signed content, digital signature and signer public key. All signature fields will be validated (including signer certificate authority)

Important

Signed content of procedure must be equal to procedure stored in DB. See Get Procedure by search params
status_reason and explanatory_letter (optional) must be added to signed content

Відкликання процедури (entered in error)

Configuration parameters

Description of the configuration parameters that are used when processing a request in the system

Dictionaries

Provides a list of links to dictionaries that are available in Confluence

Input parameters

	Input parameter	Mandatory	Type	Description	Example

	Input parameter	Mandatory	Type	Description	Example
1
2

Request structure

See on Apiary

See on API-specification

{
  "signed_data": "ew0KICAicGVyaW9kIjogew0KIC..."
}

Headers

	Key	Value	Mandatory	Description	Example

	Key	Value	Mandatory	Description	Example
1	Content-Type	application/json	M	Тип контенту	Content-Type:application/json
2	Authorization	Bearer {{access_token}}			Authorization:Bearer {{access_token}}
3	API-key	{{secret}}			API-key:{{secret}}

Request data validation

Authorize

Request to process the request using a token in the headers

Verify the validity of access token
- return 401 in case validation fails
Verify token is not expired
- in case error - return 401
Check user scopes in order to perform this action (scope = 'procedure:write')
- return 403 in case invalid scope(s)

Validate legal entity

Validate procedure belongs to the legal entity where the current user works
- ME.procedure.managing_organization==token.client_id
  - in case of error return 409 "Managing_organization in the procedure does not correspond to user`s legal_entity"

Validate patient

Validate patient is active
- ME.patient.status=="active" and is_active=true
  - in case of error return "Patient is not active"

Validate User

Extract user_id and client_id from token
Get list of APPROVED employees with this user_id in current Legal Entity
Check that for user one of the conditions is TRUE:
- user has an employee that specified as author of the procedure ($.procedure.recorded_by.identifier.value is in the list of APPROVED employees)
- OR check that user has an employee which has approval granted by the patient with access_level:write for this procedure resource ($.approvals.granted_resources.identifier.value==$.procedure._id AND $.approvals.granted_to.identifier.value==PRM.employees.id AND $.approvals.access_level='write')
- OR user has an employee which has MED_ADMIN employee type
- otherwise, return error 409 "Employee is not performer of procedure, don't has approval or required employee type"
If BLOCK_UNVERIFIED_PARTY_USERS is true, then check user's party data match following condition: verification_status != NOT_VERIFIED or (verification_status = NOT_VERIFIED and updated_at <= current_date - UNVERIFIED_PARTY_PERIOD_DAYS_ALLOWED):
- in case not match - return 403 ("Access denied. Party is not verified")

Request validation

Validate digital signature
1. ds.drfo == PRM.parties.tax_id where (PRM.parties.id==PRM.employees.party_id where (PRM.employees.id==$.performer.identifier.value))
  1. in case of error - return 409 ("Signer DRFO doesn't match with requester tax_id")
Compare signed_content to previously created content
1. select procedure, select * from procedures context.identifier.value=procedure_id and compare to signed_content (do not include status, status_reason and explanatory_letter )
  1. in case of inconsistencies return "Submitted signed content does not correspond to previously created content"
Validate status_reason is in dictionary eHealth/procedure_status_reasons
1. in case error return 422, "status_reason not in a dictionary eHealth/procedure_status_reasons"
Validate user performs action with procedure that belong to his legal entity
1. ME.patient{patinet_id}.procedures{procedure_id}.managing_organization==token.client_id
  1. in case of error return 422 "Managing_organization in the procedure does not correspond to user`s legal_entity"

Processing

Save signed_content to Media Storage
Set status `ENTERED_IN_ERROR` for procedure
Set cancellation_reason
Set explanatory_letter

Response structure examples