PUT/DELETE spec defined search params not allowed #5266

paorodma-ms · 2025-12-09T17:03:12Z

Updated responses when deleting nonexistent search params and spec defined search params. Avoid updating spec defined search params.

Description

Describe the changes in this PR.

Related issues

Addresses issue https://microsofthealth.visualstudio.com/Health/_workitems/edit/177538

Testing

Describe how this change was tested. Using unit tests and REST API Calls.

FHIR Team Checklist

Update the title of the PR to be succinct and less than 65 characters
Add a milestone to the PR for the sprint that it is merged (i.e. add S47)
Tag the PR with the type of update: Bug, Build, Dependencies, Enhancement, New-Feature or Documentation
Tag the PR with Open source, Azure API for FHIR (CosmosDB or common code) or Azure Healthcare APIs (SQL or common code) to specify where this change is intended to be released.
Tag the PR with Schema Version backward compatible or Schema Version backward incompatible or Schema Version unchanged if this adds or updates Sql script which is/is not backward compatible with the code.
When changing or adding behavior, if your code modifies the system design or changes design assumptions, please create and include an ADR.
CI is green before merge
Review squash-merge requirements

Semver Change (docs)

Patch|Skip|Feature|Breaking (reason)

…efined search params. Avoid updating spec dedined search params.

....Fhir.Shared.Core.UnitTests/Features/Search/SearchParameters/SearchParameterBehaviorTests.cs

+        public async Task GivenADeleteResourceRequest_WhenDeletingASpecDefinedSearchParameterResource_ThenDeleteSearchParameterShouldNotBeCalled()
+        {
+            var searchParameter = new SearchParameter() { Id = "code", Url = "http://hl7.org/fhir/SearchParameter/code" };
+            var resource = searchParameter.ToTypedElement().ToResourceElement();


To fix the problem, remove the assignment to the resource variable on line 168, as its value is never read and the assignment serves no purpose. This can be done by simply deleting (or commenting out) the line to avoid maintaining unnecessary code. This change is limited to the method GivenADeleteResourceRequest_WhenDeletingASpecDefinedSearchParameterResource_ThenDeleteSearchParameterShouldNotBeCalled in the file src/Microsoft.Health.Fhir.Shared.Core.UnitTests/Features/Search/SearchParameters/SearchParameterBehaviorTests.cs, as shown in the provided code snippet. No further changes or imports are needed, since this assignment does not affect any other logic.

....Fhir.Shared.Core.UnitTests/Features/Search/SearchParameters/SearchParameterBehaviorTests.cs

+            var request = new DeleteResourceRequest(key, DeleteOperation.SoftDelete);
+
+            // Spec-defined parameters do not exist in the Resource table, so GetAsync returns null
+            _fhirDataStore.GetAsync(key, Arg.Any<CancellationToken>()).Returns((ResourceWrapper)null);


To fix this issue, remove the explicit upcast to ResourceWrapper from the expression (ResourceWrapper)null and simply use null. This makes the code cleaner and more idiomatic. The change should be made at line 174, inside the GivenADeleteResourceRequest_WhenDeletingASpecDefinedSearchParameterResource_ThenDeleteSearchParameterShouldNotBeCalled test. No additional imports, methods, or definitions are needed for this change.

...Fhir.Shared.Core.UnitTests/Features/Search/SearchParameters/SearchParameterValidatorTests.cs

+
+            // Setup: No stored resource (returns null)
+            var resourceKey = new ResourceKey(KnownResourceTypes.SearchParameter, searchParam.Id);
+            _fhirDataStore.GetAsync(resourceKey, Arg.Any<CancellationToken>()).Returns((ResourceWrapper)null);


The best fix is to remove the explicit cast to ResourceWrapper and simply write null in the .Returns() call. This avoids clutter and makes the code clearer, with no change in behaviour. Only one line (line 310) in the shown code needs to be changed. No imports, definitions, or method changes are required.

src/Microsoft.Health.Fhir.Core/Features/Search/Parameters/DeleteSearchParameterBehavior.cs

            }

-            if (searchParamResource != null && searchParamResource.IsDeleted == false)
+            if (customSearchParamResource != null && customSearchParamResource.IsDeleted == false)


To fix the unnecessarily complex boolean expression, replace the comparison customSearchParamResource.IsDeleted == false with its simpler, equivalent form !customSearchParamResource.IsDeleted. This change should be made at line 76 of the file src/Microsoft.Health.Fhir.Core/Features/Search/Parameters/DeleteSearchParameterBehavior.cs. No additional methods, imports, or supporting changes are required, as the replacement uses intrinsic language operators. The fix is both locally correct and consistent with codebase conventions.

src/Microsoft.Health.Fhir.Shared.Core/Features/Search/Parameters/SearchParameterValidator.cs

src/Microsoft.Health.Fhir.Core/Features/Search/Parameters/DeleteSearchParameterBehavior.cs

jestradaMS · 2025-12-12T15:31:49Z

src/Microsoft.Health.Fhir.Core/Features/Search/Parameters/DeleteSearchParameterBehavior.cs

            if (deleteRequest.ResourceKey.ResourceType.Equals(KnownResourceTypes.SearchParameter, StringComparison.Ordinal))
            {
-                searchParamResource = await _fhirDataStore.GetAsync(deleteRequest.ResourceKey, cancellationToken);
+                customSearchParamResource = await _fhirDataStore.GetAsync(deleteRequest.ResourceKey, cancellationToken);


As discussed, I am concerned with this approach as users could in theory create a param as "http://hl7.org/fhir/SearchParameter/" then perform a hard delete which removes from the table, but leaves it in PendingDelete and therefore it would have remained in def manager and not in resource table.

To be more accurate, it might be better to use our JSON file that provides or Spec Defined parameters and if found in that file, we throw method not allowed.

Updated responses when deleting non existent search params and spec d…

5b65804

…efined search params. Avoid updating spec dedined search params.

paorodma-ms self-assigned this Dec 9, 2025

paorodma-ms requested a review from a team as a code owner December 9, 2025 17:03

paorodma-ms changed the title ~~Updated responses when deleting non existent search params and spec d…~~ PUT/DELETE spec defined search params not allowed Dec 9, 2025

paorodma-ms added this to the FY26\Q2\2Wk\2Wk12 milestone Dec 9, 2025

paorodma-ms added Bug Bug bug bug. Azure Healthcare APIs Label denotes that the issue or PR is relevant to the FHIR service in the Azure Healthcare APIs Schema Version unchanged labels Dec 9, 2025

github-advanced-security bot found potential problems Dec 9, 2025

View reviewed changes

feordin reviewed Dec 9, 2025

View reviewed changes

src/Microsoft.Health.Fhir.Shared.Core/Features/Search/Parameters/SearchParameterValidator.cs Show resolved Hide resolved

jestradaMS reviewed Dec 9, 2025

View reviewed changes

src/Microsoft.Health.Fhir.Core/Features/Search/Parameters/DeleteSearchParameterBehavior.cs Show resolved Hide resolved

Removed unused variable

b2b7216

jestradaMS reviewed Dec 12, 2025

View reviewed changes

@@ -307,7 +307,7 @@
                         // Setup: No stored resource (returns null)
                         var resourceKey = new ResourceKey(KnownResourceTypes.SearchParameter, searchParam.Id);
-                        _fhirDataStore.GetAsync(resourceKey, Arg.Any<CancellationToken>()).Returns((ResourceWrapper)null);
+                        _fhirDataStore.GetAsync(resourceKey, Arg.Any<CancellationToken>()).Returns(null);
                         var validator = new SearchParameterValidator(
                             () => _fhirOperationDataStore.CreateMockScope(),

@@ -73,7 +73,7 @@
                             }
                         }
-                        if (customSearchParamResource != null && customSearchParamResource.IsDeleted == false)
+                        if (customSearchParamResource != null && !customSearchParamResource.IsDeleted)
                         {
                             // This is a custom search parameter
                             await _searchParameterOperations.DeleteSearchParameterAsync(customSearchParamResource.RawResource, cancellationToken);

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

PUT/DELETE spec defined search params not allowed #5266

PUT/DELETE spec defined search params not allowed #5266

Uh oh!

paorodma-ms commented Dec 9, 2025

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check notice

Copilot Autofix

Uh oh!

Uh oh!

jestradaMS Dec 12, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

PUT/DELETE spec defined search params not allowed #5266

Are you sure you want to change the base?

PUT/DELETE spec defined search params not allowed #5266

Uh oh!

Conversation

paorodma-ms commented Dec 9, 2025

Description

Related issues

Testing

FHIR Team Checklist

Semver Change (docs)

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check notice

Copilot Autofix

Uh oh!

Uh oh!

jestradaMS Dec 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

jestradaMS Dec 12, 2025 •

edited

Loading