Fire Arrow Server 1.12.2
Fire Arrow Server 1.12.2 has been released.
- (bugfix)
QuestionnaireResponse/$extractworks end-to-end when the client role is allowed to read the questionnaire and structure definitions the response depends on
QuestionnaireResponse/$extract Could Fail After Processing Started
POST /fhir/QuestionnaireResponse/{id}/$extract is the Structured Data Capture extract operation. It turns a completed questionnaire response into clinical resources such as Observation and Condition. Client roles need an operation: extract rule on QuestionnaireResponse to call it.
Fire Arrow Server 1.12.0 fixed a case where that rule was ignored and every non-admin call was rejected with 403 Forbidden immediately. After upgrading to 1.12.0, some deployments still saw $extract fail partway through — often one to two seconds after the request was accepted — with 403 Forbidden and an access-denied message. From the client's perspective the operation had started and then stopped without returning extracted resources.
That happened because extraction does not only touch the QuestionnaireResponse being submitted. The server also loads the Questionnaire the response answers and any StructureDefinition resources referenced by questionnaire items (via item.definition). On 1.12.0 those supporting reads were not covered by the operation: extract rule alone, so authorization denied them even when the extract rule itself was correct.
1.12.2 authorizes $extract as a complete operation: when supporting resources are loaded during extraction, the server applies the same read rules configured for the client role. Permissions that allow GET on Questionnaire and StructureDefinition therefore also apply while $extract runs.
Required configuration
read access must be granted for every resource type $extract depends on, not only operation: extract on QuestionnaireResponse. For typical SDC questionnaires, the minimum set is:
| Operation | Resource | Why |
|---|---|---|
extract | QuestionnaireResponse | Permission to run $extract |
read | Questionnaire | Load the questionnaire the response is based on |
read | StructureDefinition | Resolve item.definition links on questionnaire items |
Example:
fire-arrow:
authorization:
validation-rules:
- client-role: Device
resource: QuestionnaireResponse
operation: extract
validator: Allowed
- client-role: Device
resource: Questionnaire
operation: read
validator: Allowed
- client-role: Device
resource: StructureDefinition
operation: read
validator: Allowed
Where read rules for Questionnaire and StructureDefinition are already in place, upgrading to 1.12.2 requires no further configuration change. If $extract still returns 403 Forbidden after upgrade, the missing read rules for the referenced resource types must be added to the authorization configuration.
Roles that do not call $extract are unaffected.