New: [AEA-6543] - Create a new $release-unattended endpoint#705
New: [AEA-6543] - Create a new $release-unattended endpoint#705
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-6543 |
There was a problem hiding this comment.
Pull request overview
Adds support for a new $release-unattended dispensing endpoint intended for application-restricted (JWT/client-credentials) access, while tightening $release to user-restricted requests and making practitioner role inclusion configurable in the release request payload.
Changes:
- Updated release request builder to optionally omit the PractitionerRole (“agent”) entry.
- Added new API method helpers and step definitions for
$release-unattendedand for negative$release/$release-unattendedcases. - Expanded dispensing feature coverage with scenarios asserting allowed/forbidden/bad-request behaviour for both endpoints.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| methods/api/eps_api_methods.py | Adds helpers for $release-unattended and practitioner-role toggling on $release. |
| messages/eps_fhir/release.py | Makes PractitionerRole inclusion optional in the generated Parameters payload. |
| features/steps/eps_api_steps.py | Wires new Behave steps to the new release helpers. |
| features/eps_fhir_dispensing/dispense_prescriptions.feature | Adds scenarios covering auth-mode and practitioner-role constraints for $release and $release-unattended. |
| def release_prescription_unattended(context): | ||
| url = f"{DISPENSING_BASE_URL}/FHIR/R4/Task/$release-unattended" | ||
| headers = get_headers(context, context.auth_method) | ||
|
|
||
| context.release_body = Release(context, include_practitioner_role=False).body | ||
| post(data=context.release_body, url=url, context=context, headers=headers) |
There was a problem hiding this comment.
release_prescription_unattended() builds headers via get_headers(context, context.auth_method) only, so when this step is used with user‑restricted auth (see feature scenario using EPS-FHIR-DISPENSING), the request will be missing the NHSD-Session-URID header that all the other dispensing Task operations in this module include (e.g. release_signed_prescription, return_prescription, withdraw_dispense_notification). This can cause the call to fail as a malformed request (or different status) rather than exercising the intended “forbidden because wrong auth type” behaviour.
Consider splitting the unattended release helpers (or adding a flag) so the user‑restricted variant includes NHSD-Session-URID, while the application‑restricted/JWT variant omits it, and update the corresponding step/scenario to use the appropriate helper.
|
Summary
Details
The
$releaseendpoint should only accept user-restricted requests, and a new endpoint$release-unattendedshould take application-restricted endpoints. The latter should omit the practitioner role resource.