From 44b342ee1d24f4ea4c9f6306fa728a9f45a29f08 Mon Sep 17 00:00:00 2001
From: Jared Erwin <jaerwin@microsoft.com>
Date: Fri, 23 Jun 2023 14:16:19 -0700
Subject: [PATCH] Clone AccessControlContext for Bundle operations (#3372)

Clone access control for all bundle actions.

Refs AB#102910
---
 docs/rest/SMARTScopesExample.http             | 31 ++++++++++++++++++-
 .../Resources/Bundle/BundleHandler.cs         |  1 +
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/docs/rest/SMARTScopesExample.http b/docs/rest/SMARTScopesExample.http
index 348cdfe76b..39094c8f7e 100644
--- a/docs/rest/SMARTScopesExample.http
+++ b/docs/rest/SMARTScopesExample.http
@@ -253,4 +253,33 @@ POST https://{{hostname}}
 content-type: application/json
 Authorization: Bearer {{bearer.response.body.access_token}}
 
-< ./Data/BundleTransaction.json
\ No newline at end of file
+< ./Data/BundleTransaction.json
+
+
+### Testing Transaction bundle for Smart user with Write only access
+# @name bearer
+POST https://{{hostname}}/connect/token
+content-type: application/x-www-form-urlencoded
+
+grant_type=client_credentials
+&client_id=smart-patient-A
+&client_secret=smart-patient-A
+&scope=patient/Observation.*
+
+### Test a Bundle with GET request inside, should not return only patient data
+POST https://{{hostname}}
+content-type: application/json
+Authorization: Bearer {{bearer.response.body.access_token}}
+
+{
+  'type': 'batch',
+  'resourceType': 'Bundle',
+  'entry': [
+    {
+      'request': {
+        'method': 'GET',
+        'url': '/Observation'
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.Health.Fhir.Shared.Api/Features/Resources/Bundle/BundleHandler.cs b/src/Microsoft.Health.Fhir.Shared.Api/Features/Resources/Bundle/BundleHandler.cs
index b7d78bb2bb..e47caf9774 100644
--- a/src/Microsoft.Health.Fhir.Shared.Api/Features/Resources/Bundle/BundleHandler.cs
+++ b/src/Microsoft.Health.Fhir.Shared.Api/Features/Resources/Bundle/BundleHandler.cs
@@ -653,6 +653,7 @@ private void SetupContexts(RouteContext request, HttpContext httpContext)
                     controllerName?.ToString(),
                     actionName?.ToString()),
                 ExecutingBatchOrTransaction = true,
+                AccessControlContext = _originalFhirRequestContext.AccessControlContext.Clone() as AccessControlContext,
             };
             foreach (var scopeRestriction in _originalFhirRequestContext.AccessControlContext.AllowedResourceActions)
             {