Merge branch '6.0.0-alpha.1' into OHM-1082-add-eslint-alpha

Author: MattyJ007

src/api/audits.js

@@ -91,6 +91,10 @@ export async function addAudit(ctx) {
   }
 }
 
+function checkPatientID(patientID) {
+  return /^[\d\w-]*$/.test(patientID) // PatientID should only be alpha numerical and may contain hyphens
+}
+
 /*
  * Retrieves the list of Audits
  */
@@ -144,28 +148,58 @@ export async function getAudits(ctx) {
     if (filters['participantObjectIdentification.participantObjectID']) {
       // filter by AND on same property for patientID and objectID
       if (filters['participantObjectIdentification.participantObjectID'].type) {
-        const patientID = new RegExp(
-          filters[
-            'participantObjectIdentification.participantObjectID'
-          ].patientID
-        )
-        const objectID = new RegExp(
-          filters[
-            'participantObjectIdentification.participantObjectID'
-          ].objectID
+        const patientID = JSON.parse(
+          filters['participantObjectIdentification.participantObjectID']
+            .patientID
         )
-        filters.$and = [
-          {'participantObjectIdentification.participantObjectID': patientID},
-          {'participantObjectIdentification.participantObjectID': objectID}
-        ]
-        // remove participantObjectIdentification.participantObjectID property as we create a new '$and' operator
-        delete filters['participantObjectIdentification.participantObjectID']
+        if (checkPatientID(patientID.substring(0, patientID.indexOf('\\^')))) {
+          const patientIDRegEx = new RegExp(patientID)
+          const objectIDRegEx = new RegExp(
+            filters[
+              'participantObjectIdentification.participantObjectID'
+            ].objectID
+          )
+          filters.$and = [
+            {
+              'participantObjectIdentification.participantObjectID':
+                patientIDRegEx
+            },
+            {
+              'participantObjectIdentification.participantObjectID':
+                objectIDRegEx
+            }
+          ]
+          // remove participantObjectIdentification.participantObjectID property as we create a new '$and' operator
+          delete filters['participantObjectIdentification.participantObjectID']
+        } else {
+          utils.logAndSetResponse(
+            ctx,
+            400,
+            'Special characters (except for hyphens(-)) not allowed in PatientID filter field',
+            'error'
+          )
+          return
+        }
       } else {
         const participantObjectID = JSON.parse(
           filters['participantObjectIdentification.participantObjectID']
         )
-        filters['participantObjectIdentification.participantObjectID'] =
-          new RegExp(`${participantObjectID}`)
+        if (
+          checkPatientID(
+            participantObjectID.substring(0, participantObjectID.indexOf('\\^'))
+          )
+        ) {
+          filters['participantObjectIdentification.participantObjectID'] =
+            new RegExp(`${participantObjectID}`)
+        } else {
+          utils.logAndSetResponse(
+            ctx,
+            400,
+            'Special characters (except for hyphens(-)) not allowed in PatientID filter field',
+            'error'
+          )
+          return
+        }
       }
     }
 

test/integration/auditAPITests.js

@@ -204,6 +204,75 @@ describe('API Integration Tests', () => {
         res.body.length.should.equal(countBefore + 1)
       })
 
+      it('should call getAudits with incorrect participantObjectID ', async () => {
+        let filters = {
+          'participantObjectIdentification.participantObjectID':
+            '"!1234\\\\^\\\\^\\\\^.*&.*&.*"'
+        }
+        filters = JSON.stringify(filters)
+        const res = await request(BASE_URL)
+          .get(
+            `/audits?filterPage=0&filterLimit=10&filters=${encodeURIComponent(
+              filters
+            )}`
+          )
+          .set('auth-username', testUtils.rootUser.email)
+          .set('auth-ts', authDetails.authTS)
+          .set('auth-salt', authDetails.authSalt)
+          .set('auth-token', authDetails.authToken)
+          .expect(400)
+
+        res.statusCode.should.be.exactly(400)
+      })
+
+      it('should call getAudits with correct participantObjectID ($and) ', async () => {
+        let filters = {
+          'participantObjectIdentification.participantObjectID': {
+            type: 'AND',
+            patientID: '"1234\\\\^\\\\^\\\\^.*&.*&.*"',
+            objectID: '123'
+          }
+        }
+        filters = JSON.stringify(filters)
+        const res = await request(BASE_URL)
+          .get(
+            `/audits?filterPage=0&filterLimit=10&filters=${encodeURIComponent(
+              filters
+            )}`
+          )
+          .set('auth-username', testUtils.rootUser.email)
+          .set('auth-ts', authDetails.authTS)
+          .set('auth-salt', authDetails.authSalt)
+          .set('auth-token', authDetails.authToken)
+          .expect(200)
+
+        res.statusCode.should.be.exactly(200)
+      })
+
+      it('should call getAudits with incorrect participantObjectID ($and) ', async () => {
+        let filters = {
+          'participantObjectIdentification.participantObjectID': {
+            type: 'AND',
+            patientID: '"!1234\\\\^\\\\^\\\\^.*&.*&.*"',
+            objectID: '123'
+          }
+        }
+        filters = JSON.stringify(filters)
+        const res = await request(BASE_URL)
+          .get(
+            `/audits?filterPage=0&filterLimit=10&filters=${encodeURIComponent(
+              filters
+            )}`
+          )
+          .set('auth-username', testUtils.rootUser.email)
+          .set('auth-ts', authDetails.authTS)
+          .set('auth-salt', authDetails.authSalt)
+          .set('auth-token', authDetails.authToken)
+          .expect(400)
+
+        res.statusCode.should.be.exactly(400)
+      })
+
       it("should generate an 'audit log used' audit when using non-basic representation", async () => {
         const result = await new AuditModel(auditData).save()