Skip to main content

Fire Arrow 2.5.2

· One min read
Till Gerken
Till Gerken
CTO

Fire Arrow 2.5.2 has been released. This is a security release and all users are strongly encouraged to upgrade to this version.

  • (security) Fix LegitimateInterest validator not blocking resources to unauthorized organizations

The LegitimateInterest validator compartmentalizes resources through an association with an Organization. This association is driven via PractitionerRole resources for Practitioner clients. A Practitioner client should not be able to see resources for which they don't have an active role.

A bug in processing search requests compromised this behavior.

PatientList(organization: "123") {
    id
}

Executing the query above without having an active role in this organization would still return patients associated with this organization. The root cause was improper parsing of search parameters, leading to an invalid comparison when computing the intersection between the allowed and requested organizations.

This release fixes the problem and improves the automated test suite to cover this case.