[PRMP-1465] Post User Restriction by SWhyteAnswer · Pull Request #1131 · NHSDigital/national-document-repository

SWhyteAnswer · 2026-02-25T14:03:16Z

Overview

Jira ticket: PRMP-1465

Description

Context

Checklist

Tasks for all changes:

1. I have linked this PR to its Jira ticket.
2. ~~I have run git pre-commits.~~ (WIP)
3. I have added and/or updated relevant tests.
4. I have updated relevant documentation.
5. I have considered the cross-team impact (and have PR approval from both Core & Demographics if necessary).
6. I have successfully deployed this change to a sandbox and witnessed unit and e2e tests passing:
- 6a. Deploy - Sandbox - workflow run - main
- 6b. SANDBOX Full- Deploy feature branch to sandbox - workflow run - 23445862466
7. I have run the UI Smoke Tests against the deployed sandbox and witnessed it passing:

lambdas/handlers/post_user_restriction_handler.py

lambdas/services/post_user_restriction_service.py

lambdas/handlers/post_user_restriction_handler.py

lambdas/services/post_user_restriction_service.py

lambdas/tests/unit/handlers/test_post_user_restriction_handler.py

github-actions · 2026-03-20T15:28:39Z

Code security issues found

View full details here.

github-actions · 2026-03-23T15:13:42Z

Code security issues found

View full details here.

sonarqubecloud · 2026-03-23T15:17:41Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
93.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-actions · 2026-03-23T15:48:01Z

Code security issues found

View full details here.

NogaNHS · 2026-03-24T11:13:43Z

app/package-lock.json

remove change?

NogaNHS · 2026-03-24T13:30:25Z

lambdas/handlers/user_restrictions/create_user_restriction_handler.py

+        logger.error("Missing user context")
+        raise LambdaException(
+            400,
+            LambdaError.SearchPatientMissing,


Why this error?

NogaNHS · 2026-03-24T13:31:20Z

lambdas/handlers/user_restrictions/create_user_restriction_handler.py

+    if patient_id != nhs_number:
+        logger.error("patientId query param does not match nhs_number in request body")
+        raise LambdaException(
+            400,
+            LambdaError.PatientIdMismatch,
+        )
+
+    try:
+        creator, ods_code = extract_creator_and_ods_code_from_request_context()
+    except OdsErrorException:
+        logger.error("Missing user context")
+        raise LambdaException(
+            400,
+            LambdaError.SearchPatientMissing,
+        )
+
+    if restricted_smartcard_id == creator:
+        logger.error("You cannot create a restriction for yourself")
+        raise LambdaException(
+            400,
+            LambdaError.CreateRestrictionSelfRestriction,
+        )


Should this be in the service? as this is business logic?

NogaNHS · 2026-03-24T13:39:53Z

lambdas/handlers/user_restrictions/create_user_restriction_handler.py

+    pds_service = get_pds_service()
+    patient = pds_service.fetch_patient_details(nhs_number)
+    if not patient:
+        logger.error("Patient not found in PDS")
+        raise LambdaException(
+            404,
+            LambdaError.SearchPatientNoPDS,
+        )
+    if patient.general_practice_ods != ods_code:
+        logger.error(
+            "Patient's general practice ODS does not match request context ODS",
+        )
+        raise LambdaException(
+            403,
+            LambdaError.SearchPatientNoAuth,
+        )


Should be in the service

SWhyteAnswer temporarily deployed to development February 25, 2026 14:03 — with GitHub Actions Inactive