Specification
Validations
Authorization
- Verify the validity of access token
- Return (401, 'unauthorized') in case of validation fails
- Verify that token is not expired
- in case of error - return (401, 'unauthorized')
- Check user scopes in order to perform this action (scope = 'service_request:read')
- Return (403, 'invalid scopes') in case of invalid scope(s)
Validate data consistency
- Ensure that requested episode of care relates to requested patient
- Return (404, 'not found') in case of error
Check user privileges
If ANY of this rules is met - user has privileges to access this data
Otherwise - access to this data is denied. Return (403, 'forbidden')
Rule 1: User who has active declaration with patient is "authorized" to manage all patient's data
- Extract user_id, client_id, client_type
2. Determine the party_id associated with this user_id
SELECT pu.party_id FROM party_users pu WHERE pu.user_id = :user_id;
3. Determine employees related to this party_id in current MSP
SELECT e.id FROM employees e WHERE e.party_id = :party_id AND e.legal_entity_id = :client_id;
4. Find patient declarations in this MSP
SELECT d.id FROM declarations d WHERE d.legal_entity_id = :client_id AND d.employee_id IN (:employees) AND d.status IN ('active', 'pending_verification') AND d.person_id = :patient_id;
Rule 2: User with active approval to this episode can view episode details and its child entities
TBD
Service logic
- Return all service requests related to specified episode of care
- Find all encounters related to specified episode of care (Medical Events DB: $.encounters[*].episode.identifier.value == :episode_id)
- Find all service requests related to received encounters (Medical Events DB: $.service_requests[*].context.identifier.value IN :encounters)