Fix: missing staged meds when using save and print functionality with multiple different patient Rx related pages (Medications, Allergies) open - LEGACY BUG#2261
Open
LiamStanziani wants to merge 18 commits intodevelopfrom
Conversation
…eeded for fixes to this issue when reproducing the workflow
…ate as needed for fixes to this issue when reproducing the workflow" This reverts commit 8d3b9b7.
…providers, will need to update to iron out bugs and less memory usage
…ng the demographicNo
…working fully, but works for most actions inside of the Medications module
… account for the changes
…icNo and there was no per-patient session bean for the connected demographicNo, meaning a bean was never created in the first place
Reviewer's GuideImplements per-patient Rx session handling (keyed by demographicNo) plus a request filter and JS interceptor so all Rx requests resolve the correct RxSessionBean, updates JSPs/actions to propagate demographicNo, hardens error handling around prescription updates, and ensures the staged prescription stash is reliably cleared on close instead of being lost mid-flow. Sequence diagram for_Rx_request_with_multi_tab_session_isolationsequenceDiagram
actor User
participant Browser
participant rxSessionInterceptor_js
participant RxSessionFilter
participant HttpSession
participant RxSessionBean
participant RxWriteScript2Action
User->>Browser: Click update quantity in Medications tab
Browser->>rxSessionInterceptor_js: Prepare AJAX request
rxSessionInterceptor_js->>Browser: Attach demographicNo to request
Browser->>RxSessionFilter: HTTP POST /oscarRx/updateDrug.do
RxSessionFilter->>HttpSession: getAttribute(LEGACY_KEY)
RxSessionFilter->>RxSessionBean: getSessionKey(demographicNo)
RxSessionFilter->>HttpSession: getAttribute(RxSessionBean_<demographicNo>)
alt per_patient_bean_found
RxSessionFilter->>HttpSession: setAttribute(LEGACY_KEY, perPatientBean)
else no_bean_and_explicit_demographicNo
RxSessionFilter->>HttpSession: removeAttribute(LEGACY_KEY)
end
RxSessionFilter-->>Browser: continue filter chain
Browser->>RxWriteScript2Action: dispatch to updateDrug()
RxWriteScript2Action->>HttpSession: getAttribute(LEGACY_KEY) as bean
RxWriteScript2Action->>RxSessionBean: getStashItem2(randomIdInt)
alt prescription_found
RxWriteScript2Action-->>Browser: 200 OK JSON (updated)
else invalid_randomId
RxWriteScript2Action-->>Browser: 400 JSON {error: Invalid prescription identifier}
else prescription_missing
RxWriteScript2Action-->>Browser: 400 JSON {error: Prescription not found}
end
Class diagram for per_patient_Rx_session_handlingclassDiagram
class RxSessionBean {
- Logger logger
- String SESSION_KEY_PREFIX
- String LEGACY_SESSION_KEY
- String providerNo
- int demographicNo
+ static String getSessionKey(int demographicNo)
+ static RxSessionBean getFromSession(HttpSession session, int demographicNo)
+ static RxSessionBean getFromSession(HttpServletRequest request, int demographicNo)
+ static void saveToSession(HttpSession session, RxSessionBean bean)
+ static void saveToSession(HttpServletRequest request, RxSessionBean bean)
+ int getDemographicNo()
+ void setDemographicNo(String RHS)
+ String getProviderNo()
+ void setProviderNo(String providerNo)
}
class RxSessionFilter {
- Logger logger
- String LEGACY_KEY
+ void init(FilterConfig filterConfig)
+ void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+ void destroy()
- static int parseDemographicNo(String param)
}
class RxWriteScript2Action {
+ String updateDrug()
- HttpServletRequest request
- HttpServletResponse response
- ObjectMapper objectMapper
- RxSessionBean bean
}
class RxShowAllergy2Action {
+ String execute()
- HttpServletRequest request
- String user_no
}
class RxChoosePatient2Action {
+ String execute()
+ String getDemographicNo()
- HttpServletRequest request
- String user_no
}
class CaseManagementView2Action {
+ String view()
- HttpServletRequest request
- String demoNo
- Logger logger
}
class RxPrescriptionData {
+ boolean Save(String scriptId)
- String special
}
class Prescription
RxSessionFilter --> RxSessionBean : uses
RxWriteScript2Action --> RxSessionBean : uses
RxShowAllergy2Action --> RxSessionBean : uses
RxChoosePatient2Action --> RxSessionBean : uses
CaseManagementView2Action --> RxSessionBean : uses
RxWriteScript2Action --> RxPrescriptionData : updates Prescription
RxSessionBean .. RxPrescriptionData : holds staged prescriptions
RxPrescriptionData *-- Prescription : contains
File-Level Changes
Assessment against linked issues
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
📝 WalkthroughWalkthroughThis pull request refactors the prescription system's session management to support multi-patient/multi-tab scenarios by implementing per-demographic-number session keys instead of a single shared session attribute. A new servlet filter (RxSessionFilter) and utility methods in RxSessionBean manage dual-key storage for backward compatibility. Client-side changes propagate the demographicNo parameter through AJAX calls and forms via a new JavaScript interceptor. Several Java actions are updated to use the new session utilities, and multiple JSP pages are modified to pass and use demographicNo context. Additional defensive checks handle null prescriptions and validate parameters. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello @LiamStanziani, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the prescription management module by introducing a comprehensive per-patient session handling mechanism. This architectural improvement addresses data integrity concerns and improves the user experience by allowing the simultaneous management of prescriptions for multiple patients across different browser tabs. The solution integrates both server-side session filtering and client-side JavaScript interception to ensure accurate and consistent data handling. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a significant and well-designed enhancement for handling prescription sessions on a per-patient basis, which is crucial for supporting multi-tab workflows. The use of a servlet filter, session bean helpers with backward compatibility, and a client-side AJAX interceptor is a solid approach. My review has identified a recurring high-severity issue: several new code paths parse request parameters into integers without proper error handling for NumberFormatException. This could lead to unhandled exceptions and server errors. I have provided specific comments and code suggestions to address this by adding robust try-catch blocks.
Collaborator
Author
|
@copilot review |
|
@LiamStanziani I've opened a new pull request, #2262, to work on those changes. Once the pull request is ready, I'll request review from you. |
Collaborator
Author
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
2 tasks
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 15
🤖 Fix all issues with AI agents
In `@src/main/java/ca/openosp/openo/casemgmt/web/CaseManagementView2Action.java`:
- Around line 458-467: The code currently calls Integer.parseInt(demoNo) without
handling NumberFormatException; wrap the parse in a safe guard (e.g., check
demoNo for null/empty and digits or use a try/catch) inside the method in
CaseManagementView2Action before calling
RxSessionBean.getFromSession/saveToSession; on parse failure, either use a
sensible default demographicNo (e.g., 0) or skip creating/saving the
RxSessionBean and log a warning with the invalid demoNo so the request does not
throw a 500. Ensure you still call RxSessionBean.setProviderNo and save only
when a valid demographicNo was obtained.
In `@src/main/java/ca/openosp/openo/prescript/data/RxPrescriptionData.java`:
- Around line 1650-1654: The code calls getSpecial() which may log raw PHI;
instead read the underlying field directly in RxPrescriptionData (avoid invoking
getSpecial()) or add a non-logging accessor (e.g., getSpecialRaw()) and use that
to compute length for the warning; ensure the log message only includes the
length (no content) and if you must log any sanitized value use Encode.forJava()
to prevent log injection.
In
`@src/main/java/ca/openosp/openo/prescript/pageUtil/RxChoosePatient2Action.java`:
- Around line 85-96: The code calls Integer.parseInt(this.getDemographicNo())
without validating the input, which will throw if getDemographicNo() is null or
not numeric; update the method in RxChoosePatient2Action to first check that
this.getDemographicNo() is non-null and matches a numeric pattern (or try
parsing inside a try/catch), and if invalid return the appropriate error view
("error.html" or "Logout"); then only call Integer.parseInt and proceed to use
RxSessionBean.getFromSession(request, demographicNoInt) and
RxSessionBean.saveToSession(request, bean) when the demographicNo is valid.
In `@src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionBean.java`:
- Around line 47-112: The public session helper methods (getSessionKey,
getFromSession(HttpSession,int), getFromSession(HttpServletRequest,int),
saveToSession(HttpSession,RxSessionBean),
saveToSession(HttpServletRequest,RxSessionBean)) need complete JavaDoc: add
explicit `@param` entries specifying types (e.g., "@param demographicNo int",
"@param session HttpSession", "@param request HttpServletRequest", "@param bean
RxSessionBean"), add precise `@return` tags (e.g., "@return RxSessionBean or null"
or "@return String" for getSessionKey), add `@throws` tags for any
unchecked/checked exceptions the methods may surface (or explicitly state none),
and add `@since` tags populated from git history for each public method; update
the JavaDoc blocks above each referenced method accordingly.
In `@src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java`:
- Around line 36-95: Add comprehensive JavaDoc to the public class
RxSessionFilter and its public methods init(FilterConfig),
doFilter(ServletRequest, ServletResponse, FilterChain), and destroy(): document
each `@param` with exact types (e.g., `@param` filterConfig
javax.servlet.FilterConfig), include `@throws` tags for
ServletException/IOException where applicable, add `@since` tags using the
commit/date when the class was introduced, and include a brief description of
behavior and return type (where applicable — void) for each method; ensure the
class-level JavaDoc also lists the purpose and the LEGACY_KEY behavior
referenced in doFilter.
- Around line 81-83: The logger.warn in RxSessionFilter currently logs
demographicNo (PHI) and the raw request URI; remove demographicNo from the log
message and sanitize the URI before logging. Update the logging call in
RxSessionFilter (the logger.warn that references demographicNo and
request.getRequestURI()) to omit demographicNo entirely and pass the request URI
through a safe sanitizer such as Encode.forJava() (or your project's approved
sanitizer) before including it in the log message to prevent log injection and
PHI exposure. Ensure only non-PHI, sanitized values are logged and adjust the
log text accordingly.
In `@src/main/java/ca/openosp/openo/prescript/pageUtil/RxShowAllergy2Action.java`:
- Around line 175-190: The code in RxShowAllergy2Action currently uses
Integer.parseInt(demo_no) which can throw NumberFormatException; update the
handler to validate demo_no (e.g., check null/empty and digits or use try/catch
around Integer.parseInt) and on invalid input set the response status to
SC_BAD_REQUEST (or return "failure") instead of allowing a 500; preserve the
existing RxSessionBean creation and RxSessionBean.saveToSession logic when the
parse succeeds, and ensure any NumberFormatException branch skips bean creation
and exits early with the bad-request response.
In `@src/main/java/ca/openosp/openo/prescript/pageUtil/RxWriteScript2Action.java`:
- Around line 813-821: The logger.error call in RxWriteScript2Action logs the
user-supplied randomId directly; sanitize it using Encode.forJava(randomId) and
switch to parameterized logging (e.g., logger.error("Prescription not found in
stash for randomId: {}", Encode.forJava(randomId))) so the input is encoded and
not concatenated into the message; update the logger invocation around the
null-check for rx and add the necessary import for Encode.
- Around line 1563-1570: Add comprehensive JavaDoc to the public setter
setDemographicNo in class RxWriteScript2Action describing its purpose, include a
typed `@param` tag (e.g., `@param` RHS String - numeric string to parse into an
int), a `@since` tag with the appropriate git-history date, and document behavior
on invalid input (note that NumberFormatException is caught and the default
remains 0) — include an `@throws` tag only if the method is changed to propagate
exceptions; otherwise explicitly state in the JavaDoc that invalid numeric input
is swallowed and no exception is thrown.
In `@src/main/webapp/oscarRx/js/rxSessionInterceptor.js`:
- Around line 21-38: The demographic injection functions must handle FormData
and URLSearchParams explicitly: in addDemographicNo (and correspondingly
hasDemographicNo if needed) detect instances of FormData and URLSearchParams
(e.g., params instanceof FormData / params instanceof URLSearchParams) and use
their APIs instead of treating them as plain objects—call
formData.append('demographicNo', demoNo) for FormData and
urlSearchParams.set('demographicNo', demoNo) for URLSearchParams; preserve
existing behavior for strings (append as query param) and plain objects (assign
params.demographicNo = demoNo), and ensure hasDemographicNo checks FormData.has
and URLSearchParams.has or inspects string/query properly so injection isn't
skipped.
In `@src/main/webapp/oscarRx/SearchDrug3.jsp`:
- Around line 238-243: The demographicNo is being output unencoded in
JavaScript, HTML attributes, and URI contexts; add the import
org.owasp.encoder.Encode at the top and replace direct uses of
rxSessionBean.getDemographicNo() with context-appropriate encoding: wrap it with
Encode.forJavaScript(...) when assigning the JavaScript variable
currentDemographicNo, use Encode.forHtmlAttribute(...) where demographicNo is
inserted into hidden input value attributes, and use Encode.forUriComponent(...)
where demographicNo is concatenated into query parameter strings (search for
currentDemographicNo, the hidden input value usages, and the methods/builders
that append demographicNo to query URIs to update each).
In `@src/main/webapp/oscarRx/ViewScript.jsp`:
- Around line 322-325: The RxClearPendingForm POST is missing the CSRF token;
update the form named "RxClearPendingForm" (action "/oscarRx/clearPending.do")
to include a hidden input using the Spring CSRF parameters: add an input with
name="${_csrf.parameterName}" and value="${_csrf.token}" alongside the existing
hidden fields (e.g., near the demographicNo input) so the form submits the CSRF
token.
- Around line 171-176: Import the OWASP encoder by adding <%@ page
import="org.owasp.encoder.Encode" %> and then apply context-appropriate encoding
to demographicNo: replace the unencoded embed that sets the JavaScript variable
currentDemographicNo (variable currentDemographicNo in ViewScript.jsp) with
Encode.forJavaScript(bean.getDemographicNo()), encode the URL parameter usage
(the code that builds the src or query param around rxSessionInterceptor.js or
other URL at line ~317) with Encode.forUriComponent(bean.getDemographicNo()),
and encode any HTML attribute usage (the attribute at ~324) with
Encode.forHtmlAttribute(bean.getDemographicNo()); finally, add the missing CSRF
hidden input to the POST form (the form around line ~322) using <input
type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> so the form
includes the CSRF token.
In `@src/main/webapp/oscarRx/ViewScript2.jsp`:
- Around line 675-678: The RxClearPendingForm POST form (form name
"RxClearPendingForm", action "/oscarRx/clearPending.do") is missing a CSRF
token; add a hidden input using the application's CSRF attributes (e.g. <input
type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> or the
project's equivalent) inside the form (near the other hidden inputs like
"action" and "demographicNo") so the server can validate the token on
submission.
- Around line 238-243: currentDemographicNo is being output unencoded in
multiple contexts causing XSS/CSRF issues; replace all direct uses of
bean.getDemographicNo() with context-appropriate OWASP encoders: wrap the value
in Encode.forJavaScript() when assigning the JavaScript variable
currentDemographicNo (the script block that sets var currentDemographicNo), use
Encode.forUriComponent() when appending demographicNo into URLs (the places
building query params), and use Encode.forHtmlAttribute() when inserting
demographicNo into HTML attributes; update the other occurrences of
demographicNo (the remaining usages in this JSP) similarly to their contexts,
and add a hidden CSRF token input to the POST form (include the server-side CSRF
token variable provided by the app framework) so the form submits the CSRF
token.
🧹 Nitpick comments (4)
src/main/webapp/oscarRx/js/rxSessionInterceptor.js (1)
41-68: Use camelCase for local aliases.
RenameOriginalRequest/OriginalUpdaterto camelCase to match JS naming conventions.As per coding guidelines: **/*.{java,js,ts,tsx}: Use camelCase for variable and method names (e.g., `ticklerManager`, `isPatientActive()`, `getLastUpdateDate()`).♻️ Suggested refactor
- var OriginalRequest = Ajax.Request; + var originalRequest = Ajax.Request; Ajax.Request = function(url, options) { @@ - return new OriginalRequest(url, options); + return new originalRequest(url, options); }; - Ajax.Request.prototype = OriginalRequest.prototype; + Ajax.Request.prototype = originalRequest.prototype; @@ - var OriginalUpdater = Ajax.Updater; + var originalUpdater = Ajax.Updater; Ajax.Updater = function(container, url, options) { @@ - return new OriginalUpdater(container, url, options); + return new originalUpdater(container, url, options); }; - Ajax.Updater.prototype = OriginalUpdater.prototype; + Ajax.Updater.prototype = originalUpdater.prototype;src/main/webapp/oscarRx/ListDrugs.jsp (1)
69-95: Move demographicNo parsing out of JSP scriptlets.
Consider resolving the demographic context in a controller and passing it via request attributes/JSTL to keep the view logic minimal.As per coding guidelines: JSP views should use JSTL tags and avoid Java scriptlets - use request.getAttribute() for passing data.
src/main/webapp/messenger/generatePreviewPDF.jsp (2)
410-423: RenameRxbeanto camelCaserxBean.
Aligns with Java naming conventions.As per coding guidelines: **/*.{java,js,ts,tsx}: Use camelCase for variable and method names (e.g., `ticklerManager`, `isPatientActive()`, `getLastUpdateDate()`).♻️ Suggested refactor
- RxSessionBean Rxbean = RxSessionBean.getFromSession(request.getSession(), demoNoInt); + RxSessionBean rxBean = RxSessionBean.getFromSession(request.getSession(), demoNoInt); - if (Rxbean == null) { - Rxbean = new RxSessionBean(); + if (rxBean == null) { + rxBean = new RxSessionBean(); } @@ - Rxbean.setProviderNo((String) request.getSession().getAttribute("user")); - Rxbean.setDemographicNo(demoNoInt); + rxBean.setProviderNo((String) request.getSession().getAttribute("user")); + rxBean.setDemographicNo(demoNoInt); @@ - RxSessionBean.saveToSession(request.getSession(), Rxbean); + RxSessionBean.saveToSession(request.getSession(), rxBean);
410-423: Move Rx session setup out of JSP scriptlets.
Prefer resolving RxSessionBean in a controller and passing it via request attributes/JSTL.As per coding guidelines: JSP views should use JSTL tags and avoid Java scriptlets - use request.getAttribute() for passing data.
PR Compliance Guide 🔍Below is a summary of compliance checks for this PR:
Compliance status legend🟢 - Fully Compliant🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label |
||||||||||||||||||||||||||
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- In RxWriteScript2Action.updateDrug, when returning the JSON error responses you should explicitly set the response Content-Type (e.g., application/json with UTF‑8) and use a consistent charset when writing bytes instead of relying on defaults.
- The heuristics in rxSessionInterceptor.js for adding demographicNo (string checks for 'Rx' in form action and only checking for 'demographicNo=' in raw strings) are quite broad and could affect unrelated forms or miss encoded params; consider tightening the action matching and using proper querystring parsing instead of substring checks.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In RxWriteScript2Action.updateDrug, when returning the JSON error responses you should explicitly set the response Content-Type (e.g., application/json with UTF‑8) and use a consistent charset when writing bytes instead of relying on defaults.
- The heuristics in rxSessionInterceptor.js for adding demographicNo (string checks for 'Rx' in form action and only checking for 'demographicNo=' in raw strings) are quite broad and could affect unrelated forms or miss encoded params; consider tightening the action matching and using proper querystring parsing instead of substring checks.
## Individual Comments
### Comment 1
<location> `src/main/webapp/oscarRx/ViewScript.jsp:384-387` </location>
<code_context>
<td><span><input type=button
value="<fmt:setBundle basename="oscarResources"/><fmt:message key="ViewScript.msgBackToOscar"/>"
class="ControlPushButton" style="width: 200px"
- onClick="javascript:clearPending('close');"/></span></td>
+ onClick="resetStash();javascript:clearPending('close');"/></span></td>
</tr>
</code_context>
<issue_to_address>
**issue (bug_risk):** Calling resetStash() here will throw a JS error because it is not defined on this page.
On ViewScript2.jsp `resetStash()` is defined locally, but on ViewScript.jsp it isn’t present and there’s no script import that provides it. As written, clicking “Back to Oscar” will throw `ReferenceError: resetStash is not defined`. To keep the stash-clearing behavior, either define `resetStash` on this page, move it into a shared JS file, or reuse an existing function that already clears the stash.
</issue_to_address>
### Comment 2
<location> `src/main/java/ca/openosp/openo/prescript/pageUtil/RxWriteScript2Action.java:811-819` </location>
<code_context>
String randomId = request.getParameter("randomId");
- RxPrescriptionData.Prescription rx = bean.getStashItem2(Integer.parseInt(randomId));
- // get prescript from randomId
+ int randomIdInt;
+ try {
+ randomIdInt = Integer.parseInt(randomId);
+ } catch (NumberFormatException e) {
+ logger.error("Invalid randomId parameter: {}", Encode.forJava(randomId));
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ ObjectNode errorResponse = objectMapper.createObjectNode();
+ errorResponse.put("error", "Invalid prescription identifier.");
+ response.getOutputStream().write(errorResponse.toString().getBytes());
+ return null;
+ }
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Error JSON responses should set content type and charset to avoid client-side parsing issues.
In the invalid `randomId` (and similar `rx == null`) branches you write a JSON error body to the `ServletOutputStream` without setting a `Content-Type`. This can prevent some clients or intermediaries from treating it as JSON and may introduce charset issues. Please set `response.setContentType("application/json;charset=UTF-8");` before writing the body and encode with `getBytes(StandardCharsets.UTF_8)` (or use a writer).
Suggested implementation:
```java
logger.error("Invalid randomId parameter: {}", Encode.forJava(randomId));
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
ObjectNode errorResponse = objectMapper.createObjectNode();
errorResponse.put("error", "Invalid prescription identifier.");
response.setContentType("application/json;charset=UTF-8");
response.getOutputStream().write(errorResponse.toString().getBytes(StandardCharsets.UTF_8));
return null;
```
```java
logger.error("Prescription not found in stash for randomId: {}. " +
"Session may have been reset or prescription was not properly staged.",
Encode.forJava(randomId));
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
ObjectNode errorResponse = objectMapper.createObjectNode();
errorResponse.put("error", "Prescription not found. Please refresh and try again.");
response.setContentType("application/json;charset=UTF-8");
response.getOutputStream().write(errorResponse.toString().getBytes(StandardCharsets.UTF_8));
return null;
```
1. Ensure `java.nio.charset.StandardCharsets` is imported at the top of `RxWriteScript2Action.java`, e.g.:
`import java.nio.charset.StandardCharsets;`
2. If there are other JSON error branches in this class that write directly to the response without setting a content type or charset, apply the same `setContentType("application/json;charset=UTF-8")` and `getBytes(StandardCharsets.UTF_8)` pattern there for consistency.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
PR Code Suggestions ✨Explore these optional code suggestions:
|
||||||||||||||||
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 15 files
Confidence score: 3/5
- Multi-tab sessions can submit the wrong patient ID because
src/main/webapp/oscarRx/SearchDrug3.jspstill uses the legacy sessionpatientobject instead of the per-tab RxSessionBean demographicNo. src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.javacan leave a stale legacy bean when demographicNo is provided but no per-patient bean exists, risking cross-patient data bleed.- These are concrete, user-facing behaviors around patient context and navigation, so there’s some regression risk despite otherwise localized changes.
- Pay close attention to
src/main/webapp/oscarRx/SearchDrug3.jsp,src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java,src/main/webapp/oscarRx/ViewScript.jsp- patient context isolation and client-side navigation errors.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="src/main/webapp/oscarRx/SearchDrug3.jsp">
<violation number="1" location="src/main/webapp/oscarRx/SearchDrug3.jsp:796">
P1: This hidden input still uses the session `patient` object instead of the per-tab RxSessionBean demographicNo, so multi-tab sessions can submit the wrong patient ID. Use `demoNo` (from RxSessionBean) to keep requests tied to the correct tab.</violation>
</file>
<file name="src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java">
<violation number="1" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java:78">
P1: When a demographicNo is provided but no per-patient bean exists, the legacy session bean is left untouched, so downstream code can still read a stale bean from a different patient. Clear the legacy key (or set it to null) in this case to avoid cross-patient leakage.</violation>
</file>
<file name="src/main/webapp/oscarRx/ViewScript.jsp">
<violation number="1" location="src/main/webapp/oscarRx/ViewScript.jsp:392">
P2: resetStash() is not defined for this page, so clicking “Back to Oscar” will throw a ReferenceError and can block clearPending from executing. Either define/resetStash for this page or guard the call.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
yingbull
pushed a commit
to carlos-emr/carlos
that referenced
this pull request
Feb 10, 2026
Implements isolated session management for the prescription (Rx) module to prevent medication data cross-contamination when providers have multiple patient tabs open simultaneously. Core changes: - Add static helpers to RxSessionBean (getFromSession/saveToSession) for per-patient session keying using RxSessionBean_<demographicNo> - Create RxSessionFilter servlet filter to swap correct per-patient bean into legacy "RxSessionBean" session key per request - Create rxSessionInterceptor.js to inject demographicNo into AJAX calls and form submissions for Prototype.js, jQuery, and native forms - Update all Rx Action classes to use new per-patient session API - Add demographicNo propagation to ViewScript/ViewScript2 iframes and forms - Improve error handling in RxWriteScript2Action for missing prescriptions - Update ListDrugs.jsp to resolve patient from request parameter first Adapted from openo-beta/open-o PR #2261 by LiamStanziani. Original commits: 8d3b9b7..be7f6576 (squashed, path/namespace translated) Upstream PR: openo-beta/Open-O#2261 Changes from upstream: - File paths translated: ca/openosp/openo/ -> io/github/carlos_emr/carlos/ - Package names translated: ca.openosp.openo. -> io.github.carlos_emr.carlos. - RxPrescriptionData.java changes already present in CARLOS (skipped) - struts.xml whitespace-only change skipped - Adapted to existing CARLOS codebase divergences https://claude.ai/code/session_01Jg6sucQ6C6PgndyCrCHqs1
yingbull
pushed a commit
to carlos-emr/carlos
that referenced
this pull request
Feb 25, 2026
…contamination
Port of openo-beta/open-o PR #2261 ("Fix: missing meds when saving - LEGACY BUG")
originally authored by LiamStanziani.
When multiple prescription tabs are open simultaneously for different patients,
a single shared "RxSessionBean" session attribute causes medications to disappear
or mix between patients. This fix introduces per-patient session keys
(RxSessionBean_<demographicNo>) with a servlet filter that swaps the correct bean
into the legacy key per request, maintaining backward compatibility.
Changes:
- RxSessionBean: Add static getFromSession/saveToSession methods with per-patient keys
- RxSessionFilter: New servlet filter for per-request bean swapping (web.xml mapped)
- rxSessionInterceptor.js: AJAX interceptor injecting demographicNo into all Rx requests
- CaseManagementView2Action, RxChoosePatient2Action, RxShowAllergy2Action: Use new
session methods instead of direct session attribute access
- RxWriteScript2Action: Add error handling for randomId parsing, String demographicNo setter
- ListDrugs.jsp: Multi-tab patient lookup from request parameter
- SearchDrug3.jsp, ViewScript.jsp, ViewScript2.jsp: Include interceptor, add resetStash,
pass demographicNo through forms and iframes
- generatePreviewPDF.jsp: Use getFromSession/saveToSession
Original PR: openo-beta/Open-O#2261
Original Author: LiamStanziani
https://claude.ai/code/session_01D1MB9CvCDC4XaJGCXgxtB3
Collaborator
Author
|
See latest comment on this PR for an explanation as to why this is being set back to draft: MagentaHealth#75 |
LiamStanziani
changed the title
Collaborator
Author
|
Will address and AI review comments that come in with setting this back to review |
Review Summary by QodoFix missing medications across multiple patient tabs by implementing per-patient Rx session isolation
WalkthroughsDescription• Implement per-patient Rx session handling to prevent medications from mixing between multiple open patient tabs • Add RxSessionFilter and rxSessionInterceptor to inject demographicNo into all Rx requests for correct patient context • Improve error handling for invalid prescription identifiers and missing demographic numbers with 400 responses • Simplify special instructions logging and remove deprecated StringEscapeUtils usage Diagramflowchart LR
A["Multiple Patient Tabs"] -->|demographicNo parameter| B["RxSessionFilter"]
B -->|swaps correct bean| C["Per-Patient RxSessionBean"]
C -->|keyed by demographicNo| D["Session Storage"]
E["AJAX/Form Requests"] -->|rxSessionInterceptor| F["Add demographicNo"]
F -->|inject into requests| B
G["JSP Pages"] -->|include interceptor| E
H["Error Handling"] -->|invalid IDs| I["400 Bad Request"]
File Changes1. src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionBean.java
|
Code Review by Qodo
1. demoNo unencoded in JS
|
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- In rxSessionInterceptor.js, the fetch wrapper only appends demographicNo via the URL and doesn’t handle Request objects or bodies that might already carry the parameter; consider detecting Request instances and preserving/augmenting their query/body rather than coercing to a string URL to avoid subtle bugs with more complex fetch usages.
- RxSessionFilter’s fallback behaviour when demographicNo is absent (or invalid) but a legacy RxSessionBean exists leaves the legacy bean in place and logs a warning only when a per-patient bean lookup fails with a fallback demographic; you might want to make the conditions and logging more explicit (e.g., distinguish between ‘no per-patient bean yet’ vs. ‘stale bean for another patient’) to simplify future debugging of cross-patient leakage scenarios.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In rxSessionInterceptor.js, the fetch wrapper only appends demographicNo via the URL and doesn’t handle Request objects or bodies that might already carry the parameter; consider detecting Request instances and preserving/augmenting their query/body rather than coercing to a string URL to avoid subtle bugs with more complex fetch usages.
- RxSessionFilter’s fallback behaviour when demographicNo is absent (or invalid) but a legacy RxSessionBean exists leaves the legacy bean in place and logs a warning only when a per-patient bean lookup fails with a fallback demographic; you might want to make the conditions and logging more explicit (e.g., distinguish between ‘no per-patient bean yet’ vs. ‘stale bean for another patient’) to simplify future debugging of cross-patient leakage scenarios.
## Individual Comments
### Comment 1
<location path="src/main/webapp/oscarRx/js/rxSessionInterceptor.js" line_range="80-89" />
<code_context>
+ };
+ }
+
+ // Intercept fetch API
+ if (typeof window.fetch === 'function') {
+ var originalFetch = window.fetch;
+ window.fetch = function(url, options) {
+ options = options || {};
+ var urlStr = (url instanceof Request) ? url.url : String(url);
+ if (urlStr.indexOf('demographicNo=') === -1) {
+ var separator = urlStr.indexOf('?') === -1 ? '?' : '&';
+ url = urlStr + separator + 'demographicNo=' + encodeURIComponent(demoNo);
+ }
+ return originalFetch.call(this, url, options);
+ };
+ }
</code_context>
<issue_to_address>
**issue (bug_risk):** The fetch wrapper discards Request objects and may change behavior of existing fetch callers.
When callers pass a `Request` (e.g., `fetch(new Request(...), options)`), this wrapper replaces it with a URL string and `options || {}`, discarding method, headers, body, credentials, mode, etc. This can break existing code that relies on `Request` instances. To keep behavior transparent, if `url` is a `Request`, create a new `Request` with the modified URL and the original request as init (e.g., `new Request(modifiedUrl, url)`), and pass that to `originalFetch`. Only use the current string-based logic when `url` is not a `Request`.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
11 issues found across 15 files
Confidence score: 2/5
- There is clear high user-impact risk: several high-confidence findings show patient context can still bleed across tabs (
RxSessionFilter,RxSessionBean,generatePreviewPDF.jsp,SearchDrug3.jsp), which can surface or act on the wrong patient’s medication data. - A concrete regression risk remains in request handling:
rxSessionInterceptor.jscan downgradeRequestobjects to plain URL strings, potentially dropping method/headers/body and breaking POST-based flows silently. - Integration points still look unsafe as wired:
web.xmlfilter ordering can allow rejected requests to mutate Rx session state, andRxWriteScript2Action.javatype mismatch may leave binding at demographic0. - Pay close attention to
src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java,src/main/webapp/messenger/generatePreviewPDF.jsp,src/main/webapp/oscarRx/js/rxSessionInterceptor.js, andsrc/main/webapp/WEB-INF/web.xml- they drive the highest-risk patient-context and request-flow regressions.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/main/webapp/oscarRx/ViewScript.jsp">
<violation number="1" location="src/main/webapp/oscarRx/ViewScript.jsp:182">
P2: Handle rejected stash-clear requests before calling `clearPending('close')`; otherwise the Back to Oscar button stops working when the POST fails.</violation>
</file>
<file name="src/main/webapp/oscarRx/js/rxSessionInterceptor.js">
<violation number="1" location="src/main/webapp/oscarRx/js/rxSessionInterceptor.js:88">
P1: When `url` is a `Request` object, reassigning it to a plain string discards the request's method, headers, body, and credentials. A `fetch(new Request('/api', {method:'POST', body:...}))` call would silently become a bare GET. Preserve the `Request` by constructing a new one with the modified URL.</violation>
</file>
<file name="src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java">
<violation number="1" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java:79">
P1: Swapping the active patient bean through a shared `HttpSession` attribute is still race-prone across concurrent tabs, so overlapping Rx requests can still read or clear the wrong patient's `RxSessionBean`.</violation>
</file>
<file name="src/main/java/ca/openosp/openo/prescript/pageUtil/RxWriteScript2Action.java">
<violation number="1" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxWriteScript2Action.java:1584">
P1: Keep `demographicNo` as an `int` property. This mismatched `String` setter can prevent Struts from binding the request parameter at all, leaving the action on demographic `0`.</violation>
</file>
<file name="src/main/webapp/WEB-INF/web.xml">
<violation number="1" location="src/main/webapp/WEB-INF/web.xml:40">
P1: Move `RxSessionFilter` after the auth/CSRF filters; right now rejected requests can still mutate the Rx session.</violation>
</file>
<file name="src/main/webapp/messenger/generatePreviewPDF.jsp">
<violation number="1" location="src/main/webapp/messenger/generatePreviewPDF.jsp:416">
P1: This only makes `RxSessionBean` per-patient; `PrintDrugProfile.jsp` still uses the shared session `Patient`, so multi-tab previews can still render the wrong patient.</violation>
<violation number="2" location="src/main/webapp/messenger/generatePreviewPDF.jsp:425">
P1: The preview request still uses `demographic_no`, so the new RxSessionFilter never selects the per-patient bean for `PrintDrugProfile.jsp`.</violation>
</file>
<file name="src/main/webapp/oscarRx/ViewScript2.jsp">
<violation number="1" location="src/main/webapp/oscarRx/ViewScript2.jsp:274">
P1: Use the LightWindow close API here instead of `parent.window.close()`, or the Back to Oscar action can leave the modal open / target the wrong window.</violation>
</file>
<file name="src/main/webapp/oscarRx/SearchDrug3.jsp">
<violation number="1" location="src/main/webapp/oscarRx/SearchDrug3.jsp:241">
P1: This page still renders `prescribedDrugs` from the shared session `Patient` object, so another Rx tab can still make the medication list show the wrong patient despite the new `demographicNo` propagation.</violation>
</file>
<file name="src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionBean.java">
<violation number="1" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionBean.java:109">
P1: Updating the shared legacy session key here still lets no-`demographicNo` requests switch to the wrong patient's Rx session.</violation>
</file>
<file name="src/main/webapp/oscarRx/ListDrugs.jsp">
<violation number="1" location="src/main/webapp/oscarRx/ListDrugs.jsp:93">
P2: This fallback never runs when `getPatient(...)` fails, because that API returns a non-null wrapper with a null demographic. Check for `patient.getDemographic() == null` too, otherwise invalid `demographicNo` values fall through with `-1` and the page can load the wrong/empty medication list.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
- Move RxSessionFilter after auth filters in web.xml to prevent
unauthenticated session mutation
- Add Patient session attribute swapping to RxSessionFilter, removing
redundant manual lookups in ListDrugs.jsp
- Support both demographicNo and demographic_no params in filter
- Fix fetch interceptor to preserve Request object properties
- Revert generatePreviewPDF.jsp bean read to use filter-swapped legacy key
- Remove deferred stash clearing fix (resetStashAndClose) from
ViewScript.jsp and ViewScript2.jsp
There was a problem hiding this comment.
5 issues found across 7 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/main/webapp/WEB-INF/web.xml">
<violation number="1" location="src/main/webapp/WEB-INF/web.xml:159">
P1: `RxSessionFilter` now runs after Struts for `/oscarRx/*` and `/CaseManagementView.do`, so the per-patient bean swap happens too late to protect those actions.</violation>
</file>
<file name="src/main/webapp/oscarRx/ListDrugs.jsp">
<violation number="1" location="src/main/webapp/oscarRx/ListDrugs.jsp:69">
P1: Resolve the patient from `demographicNo` on this request instead of the shared session `Patient`; otherwise concurrent Rx tabs can still render another patient's drug list.</violation>
</file>
<file name="src/main/webapp/oscarRx/ViewScript2.jsp">
<violation number="1" location="src/main/webapp/oscarRx/ViewScript2.jsp:843">
P2: Back-to-Oscar no longer clears the stored ReRx selection list, so stale renewal checkboxes can leak into the next Rx session for this patient.</violation>
<violation number="2" location="src/main/webapp/oscarRx/ViewScript2.jsp:843">
P1: Don't close the popup immediately after submitting `clearPending('close')`; it can abort the stash-clear request.</violation>
</file>
<file name="src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java">
<violation number="1" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxSessionFilter.java:103">
P1: Clear the session `Patient` when the requested demographic cannot be loaded; otherwise stale patient data can still be used for the request.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
- Revert RxSessionFilter mappings to before Struts2 in web.xml.
Struts2 short-circuits chain.doFilter() for .do action URLs,
so placing the filter after Struts2 prevented bean swapping
for actions like RxWriteScript2Action. Auth for .do URLs is
handled by SecurityInfoManager inside actions, not LoginFilter.
- Simplify CaseManagementView2Action and RxChoosePatient2Action
bean setup — remove redundant getFromSession lookups since
the filter handles per-request swapping.
- Restore RxShowAllergy2Action's original provider/demographic
match check to preserve existing bean state (stash, view).
- All three actions now use saveToSession instead of setAttribute
for per-patient key storage.
There was a problem hiding this comment.
5 issues found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/main/java/ca/openosp/openo/casemgmt/web/CaseManagementView2Action.java">
<violation number="1" location="src/main/java/ca/openosp/openo/casemgmt/web/CaseManagementView2Action.java:459">
P1: Reinitializing `RxSessionBean` here drops any staged prescriptions already stored for this patient.</violation>
</file>
<file name="src/main/java/ca/openosp/openo/prescript/pageUtil/RxShowAllergy2Action.java">
<violation number="1" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxShowAllergy2Action.java:178">
P1: Compare provider numbers by value, not by `String` identity, or this branch can recreate the session bean and lose staged Rx state for the same provider.</violation>
<violation number="2" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxShowAllergy2Action.java:186">
P2: Validate `demographicNo` before parsing it; these direct `Integer.parseInt` calls now crash the action on malformed input.</violation>
</file>
<file name="src/main/java/ca/openosp/openo/prescript/pageUtil/RxChoosePatient2Action.java">
<violation number="1" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxChoosePatient2Action.java:85">
P1: Recreating the RxSessionBean here wipes the existing per-patient stash instead of reusing it.</violation>
<violation number="2" location="src/main/java/ca/openosp/openo/prescript/pageUtil/RxChoosePatient2Action.java:87">
P2: Restore validation around `demographicNo`; this inline parse now turns bad input into an unhandled 500.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
…pt to new save to session method usual setup
Collaborator
|
@LiamStanziani just want to confirm: is this PR still being worked on? ready for review/merge? |
Collaborator
Author
|
@sebastian-j-ibanez This PR is currently waiting for testing by Carmen, not currently working on it at the moment but I might need to update it later on if something comes up. Here is the other PR that I expect to be tested (which is the same branch but just going towards another base branch), if this goes well then this will be merged by Carmen: MagentaHealth#75 |
Resolved Conflicts: src/main/java/ca/openosp/openo/prescript/data/RxPrescriptionData.java src/main/webapp/oscarRx/SearchDrug3.jsp
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
LiamStanziani
added a commit
that referenced
this pull request
Apr 16, 2026
D3V41
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In this PR, I have fixed:
I have tested this by:
User description
Summary by Sourcery
Implement per-patient prescription session handling and multi-tab safety across the Rx workflow to keep medications tied to the correct patient and avoid losing staged prescriptions.
Bug Fixes:
Enhancements:
Summary by cubic
Fixes missing or cross‑patient meds by isolating Rx sessions per patient and passing demographicNo across all requests so multiple tabs are safe. Save & Print, Allergies, and messenger preview now always use the right patient.
New Features
RxSessionBeanwithsaveToSessionand legacy fallback; used across Rx actions and JSPs.RxSessionFilterruns before Struts2 for/oscarRx/*,CaseManagementView.do, and messenger preview; swaps the correct bean andPatientper request; acceptsdemographicNo/demographic_no.rxSessionInterceptor.jsinjectsdemographicNointo Prototype, jQuery, fetch (preserves Request objects), and Rx forms;ViewScript*andSearchDrug3pass it through iframes and posts.Bug Fixes
randomIdreturns 400 JSON; supports String binding fordemographicNo; stricter parsing in actions/JSPs.Patient.Written for commit 910f52c. Summary will update on new commits.
Summary by Sourcery
Implement per-patient prescription session handling keyed by demographicNo to make Rx workflows safe across multiple tabs and windows and prevent cross-patient contamination.
Bug Fixes:
Enhancements:
Build:
Summary by CodeRabbit
New Features
Bug Fixes
PR Type
Bug fix, Enhancement
Description
Implement per-patient RxSessionBean storage with demographicNo-based session keys to prevent medication loss across multiple patient tabs
Add RxSessionFilter servlet filter to swap correct patient bean per request, enabling multi-tab prescription safety
Introduce rxSessionInterceptor.js to inject demographicNo into AJAX calls, forms, and iframes for consistent patient context
Improve error handling in prescription workflows with clearer validation and error messages for missing/invalid data
Diagram Walkthrough
File Walkthrough
12 files
Add per-patient session key helpers and storage methodsNew servlet filter for multi-patient tab session isolationUpdate to use per-patient RxSessionBean retrievalRefactor bean initialization with per-patient session supportUpdate RxSessionBean initialization with per-patient keysSimplify special instructions logging with clearer formatNew AJAX interceptor to propagate demographicNo across requestsEnhance patient data retrieval with demographicNo parameter supportAdd rxSessionInterceptor and improve lightwindow close handlingInclude rxSessionInterceptor and add demographicNo to iframe/formAdd rxSessionInterceptor and implement stash clearing on closeUpdate RxSessionBean initialization with per-patient session support1 files
Add validation and error handling for missing prescriptions1 files
Register RxSessionFilter for Rx-related URL patterns1 files
Minor formatting adjustment to struts configuration