IGNT-70 Add _includeHidden support for REST

nirbhaykumar1999 · nirbhaykumar1999 · commit ce05d30c90c8 · 2025-04-03T16:10:58.000+05:30
diff --git a/src/operations/common/patientQueryCreator.js b/src/operations/common/patientQueryCreator.js
@@ -43,9 +43,10 @@ class PatientQueryCreator {
      * @param {import('mongodb').Document} query
      * @param {string} resourceType
      * @param {boolean} useHistoryTable
+     * @param {boolean} excludeRestricted Exclude restricted resources (default to true)
      * @return {import('mongodb').Document}
      */
-    getQueryWithPatientFilter({patientIds, query, resourceType, useHistoryTable, personIds}) {
+    getQueryWithPatientFilter({patientIds, query, resourceType, useHistoryTable, personIds, excludeRestricted = true}) {
         if (!this.patientFilterManager.canAccessResourceWithPatientScope({resourceType})) {
             throw new ForbiddenError(`Resource type ${resourceType} cannot be accessed via a patient scope`);
         }
@@ -124,8 +125,7 @@ class PatientQueryCreator {
                     resourceType,
                     parsedArgs,
                     useHistoryTable,
-                    operation: OPERATIONS.READ,
-                    isUser: true
+                    operation: OPERATIONS.READ
                 }));
             }
             if (patientsUuidQuery) {
@@ -201,8 +201,7 @@ class PatientQueryCreator {
                     resourceType,
                     parsedArgs,
                     useHistoryTable,
-                    operation: OPERATIONS.READ,
-                    isUser: true
+                    operation: OPERATIONS.READ
                 }));
             }
             if (patientsNonUuidQuery) {
@@ -278,8 +277,7 @@ class PatientQueryCreator {
                     resourceType,
                     parsedArgs,
                     useHistoryTable,
-                    operation: OPERATIONS.READ,
-                    isUser: true
+                    operation: OPERATIONS.READ
                 }));
             }
             if (personsQuery) {
@@ -300,17 +298,19 @@ class PatientQueryCreator {
         }
 
         // apply filter to exclude resources with restricted security
-        query.$and = query.$and || [];
-        query.$and.push({
-            'meta.security': {
-                $not: {
-                    $elemMatch: {
-                        system: RESOURCE_RESTRICTION_TAG.SYSTEM,
-                        code: RESOURCE_RESTRICTION_TAG.CODE
+        if (excludeRestricted) {
+            query.$and = query.$and || [];
+            query.$and.push({
+                'meta.security': {
+                    $not: {
+                        $elemMatch: {
+                            system: RESOURCE_RESTRICTION_TAG.SYSTEM,
+                            code: RESOURCE_RESTRICTION_TAG.CODE
+                        }
                     }
                 }
-            }
-        });
+            });
+        }
         return query;
     }
 }
diff --git a/src/operations/query/r4.js b/src/operations/query/r4.js
@@ -62,10 +62,9 @@ class R4SearchQueryCreator {
      * @param {ParsedArgs} parsedArgs
      * @param {boolean|undefined} [useHistoryTable]
      * @param {string} operation
-     * @param {boolean} isUser
      * @returns {{query:import('mongodb').Document, columns: Set}} A query object to use with Mongo
      */
-    buildR4SearchQuery ({ resourceType, parsedArgs, useHistoryTable, operation, isUser }) {
+    buildR4SearchQuery ({ resourceType, parsedArgs, useHistoryTable, operation }) {
         assertIsValid(resourceType);
         assertTypeEquals(parsedArgs, ParsedArgs);
 
@@ -156,7 +155,7 @@ class R4SearchQueryCreator {
         // Handling case of 'hidden' tag in meta
         if (
             !parsedArgs.id &&
-            (isUser || !isTrue(parsedArgs._includeHidden)) &&
+            (!isTrue(parsedArgs._includeHidden)) &&
             operation !== DELETE &&
             !useHistoryTable &&
             resourceType !== 'AuditEvent'
diff --git a/src/operations/search/searchManager.js b/src/operations/search/searchManager.js
@@ -237,6 +237,12 @@ class SearchManager {
 
             if (accessViaPatientScopes) {
                 shouldUpdateColumns = true;
+                const excludeRestricted = !parsedArgs.id &&
+                (!isTrue(parsedArgs._includeHidden)) &&
+                operation !== DELETE &&
+                !useHistoryTable &&
+                resourceType !== 'AuditEvent';
+
                 /**
                  * @type {string[]}
                  */
@@ -250,7 +256,8 @@ class SearchManager {
                 } else {
                     query = this.patientQueryCreator.getQueryWithPatientFilter({
                         patientIds: allPatientIdsFromJwtToken, query, resourceType, useHistoryTable,
-                        personIds: personIdFromJwtToken ? [personIdFromJwtToken] : null
+                        personIds: personIdFromJwtToken ? [personIdFromJwtToken] : null,
+                        excludeRestricted
                     });
                 }
             } else if (securityTags && securityTags.length > 0) {
