Feature: show providers' documents in the attachment manager

[LiamStanziani]

NOTE: THIS DESCRIPTION AND FUNCTIONALITY IS IN PROGRESS, THE DESCRIPTION HIGHLIGHTS THE OLD VERSION OF THIS FEATURE, AND WILL BE UPDATED LATER WHEN THE FULL IMPLEMENTATION IS APPROVED

In this PR, I have:

• Added functionality so that the attachment manager page (viewed through either consultations, or eForms), will show a section for private provider documents, and will pull the currently logged in provider's documents and show in the section

I have tested this by:

• Creating multiple private documents, ensuring that the attachment manager page shows the private document section, and the correct private documents are listed/viewable

Summary by Sourcery

Expose provider-specific private documents in the attachment manager for both consultation requests and general document previews.

New Features:

• Display a "Private Documents" section in the attachment manager listing the logged-in provider’s private documents with selection and preview controls.

Enhancements:

• Populate attachment manager views with provider private documents fetched for the logged-in provider across consultation and document preview flows.

---

Summary by cubic

Shows the logged-in provider’s private documents and all public provider documents in the attachment manager for consultations and eForms. Adds “Private Provider Documents,” “Public Provider Documents,” renames “Documents” to “Patient Documents,” and surfaces soft-deleted attachments.

• New Features

  • Fetches provider private/public docs via EDocUtil.getProviderPrivateDocs(...) and getProviderPublicDocs(...) in DocumentPreview2Action and ConsultationAttachDocs2Action.
  • Renders new sections with select-all, preview, and “show more” (first 20); updates labels/tooltips and HTML-encodes doc titles.
  • Persists selections when switching categories in consultations and eForms; warns on attaching private provider documents and skips the warning for pre-attached ones.

• Bug Fixes

  • Merges soft-deleted attached docs into the correct sections and marks them as “(deleted)” with muted styling; adds null guards and wraps lists to avoid errors.
  • Fixes provider document detach by correcting entry identifiers; updates confirmation dialog copy for clarity.
  • Simplifies provider doc checkbox IDs to match the name+value===id convention, removing unnecessary fallback resolution.

^{Written for commit cccb179. Summary will update on new commits.}

Summary by CodeRabbit

Release Notes

• New Features
  • Provider-specific private documents are now accessible within document attachment and preview interfaces.
  • Users can view, select, and preview private documents scoped to their provider account, complete with select-all and expand functionality.

[sourcery-ai]

Reviewer's Guide

Adds support for showing the logged-in provider’s private documents in the attachment manager for consultations and eForms by fetching provider-specific private docs server-side and rendering a new selectable, paginated “Private Documents” section in the JSP.

Sequence diagram for loading provider private documents in attachment manager

sequenceDiagram
    actor Provider
    participant Browser
    participant ConsultationAttachDocs2Action
    participant DocumentPreview2Action
    participant EDocUtil
    participant JSP_attachDocument

    Provider->>Browser: Open attachment manager (consultation or eForm)
    Browser->>ConsultationAttachDocs2Action: HTTP GET /consultation/attachDocs
    ConsultationAttachDocs2Action->>EDocUtil: listDocs(loggedInInfo, demographic, demographicNo, null, PRIVATE, OBSERVATIONDATE)
    EDocUtil-->>ConsultationAttachDocs2Action: allDocuments
    ConsultationAttachDocs2Action->>EDocUtil: listDocs(loggedInInfo, providers, providerNo, null, PRIVATE, OBSERVATIONDATE)
    EDocUtil-->>ConsultationAttachDocs2Action: providerPrivateDocs
    ConsultationAttachDocs2Action->>ConsultationAttachDocs2Action: build attachedDocumentIds
    ConsultationAttachDocs2Action->>JSP_attachDocument: Forward with allDocuments, providerPrivateDocs, allLabs, allForms, allEForms

    alt eForm preview flow
        Provider->>Browser: Open attachment manager from eForm
        Browser->>DocumentPreview2Action: HTTP GET /document/preview
        DocumentPreview2Action->>EDocUtil: listDocs(loggedInInfo, demographic, demographicNo, null, PRIVATE, OBSERVATIONDATE)
        EDocUtil-->>DocumentPreview2Action: allDocuments
        DocumentPreview2Action->>EDocUtil: listDocs(loggedInInfo, providers, providerNo, null, PRIVATE, OBSERVATIONDATE)
        EDocUtil-->>DocumentPreview2Action: providerPrivateDocs
        DocumentPreview2Action->>JSP_attachDocument: Forward with allDocuments, providerPrivateDocs, allHRMDocuments, allLabsSortedByVersions, allForms
    end

    JSP_attachDocument-->>Browser: Render attachment manager with Private Documents section
    Provider->>Browser: Select and preview provider private documents
    Browser->>DocumentPreview2Action: getPdf(DOC, docId, renderEDocPDF)
    DocumentPreview2Action-->>Browser: PDF response

Loading

Class diagram for actions populating provider private documents

classDiagram
    class ConsultationAttachDocs2Action {
        +String fetchAll()
        -HttpServletRequest request
        -DocumentAttachmentManager documentAttachmentManager
        -FormsManager formsManager
        -EFormManager eFormManager
        -LoggedInInfo loggedInInfo
        -String demographicNo
        -String requestId
        -List~EDoc~ allDocuments
        -List~EDoc~ providerPrivateDocs
        -List~EDoc~ attachedDocuments
    }

    class DocumentPreview2Action {
        -HttpServletRequest request
        -DocumentAttachmentManager documentAttachmentManager
        -FormsManager formsManager
        -void populateCommonDocs(LoggedInInfo loggedInInfo, String demographicNo)
        -List~EDoc~ allDocuments
        -List~EDoc~ providerPrivateDocs
        -List~AttachmentLabResultData~ allLabsSortedByVersions
        -List~EctFormData.PatientForm~ allForms
    }

    class EDocUtil {
        +List~EDoc~ listDocs(LoggedInInfo loggedInInfo, String type, String ownerId, String requestId, int visibility, EDocSort sort)
        <<static>>
        +int PRIVATE
        +EDocSort EDocSort
    }

    class JSP_attachDocument {
        +allDocuments
        +providerPrivateDocs
        +allLabs
        +allForms
        +allEForms
        +allHRMDocuments
        +allLabsSortedByVersions
        +renderPrivateDocumentsSection()
    }

    ConsultationAttachDocs2Action --> EDocUtil : uses listDocs demographic
    ConsultationAttachDocs2Action --> EDocUtil : uses listDocs providers
    ConsultationAttachDocs2Action --> JSP_attachDocument : sets providerPrivateDocs

    DocumentPreview2Action --> EDocUtil : uses listDocs demographic
    DocumentPreview2Action --> EDocUtil : uses listDocs providers
    DocumentPreview2Action --> JSP_attachDocument : sets providerPrivateDocs

Loading

File-Level Changes

Change	Details	Files
Render a new Private Documents section in the attachment manager UI when provider private documents are available, including bulk-select, preview, and show-more behaviour.	Add a conditional JSP block that renders a Private Documents header and list if providerPrivateDocs is not empty Render each provider document as a checkbox with description and observation date plus a Preview button wired to getPdf Add select-all checkbox that calls existing toggleSelectAll helper for items with a provider-specific ID prefix Add a Show More button that reveals documents beyond the first 20 using existing showAll behaviour and CSS classes	src/main/webapp/documentManager/attachDocument.jsp
Populate provider-specific private documents in backend actions for both generic document preview and consultation attach flows, and expose them to the JSP as request attributes.	In DocumentPreview2Action.populateCommonDocs, fetch private documents for the logged-in provider using EDocUtil.listDocs with type 'providers' and the providerNo Set the fetched providerPrivateDocs on the request so the JSP can render them In ConsultationAttachDocs2Action.fetchAll, similarly fetch provider private docs for the logged-in provider and attach them to the request Leave existing demographic document, labs, forms, and attached-doc retrieval logic unchanged while augmenting request attributes with providerPrivateDocs	src/main/java/ca/openosp/openo/documentManager/actions/DocumentPreview2Action.java src/main/java/ca/openosp/openo/encounter/oscarConsultationRequest/pageUtil/ConsultationAttachDocs2Action.java

Possibly linked issues

• #[Feature]: PR implements the feature request by loading and displaying providerPrivateDocs in the attachment manager UI.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two action classes are updated to retrieve provider-scoped private documents and expose them as request attributes. A JSP view is modified to display these provider-private documents in a new UI section alongside existing document listings.

Changes

Cohort / File(s)	Summary
Backend Document Retrieval src/main/java/ca/openosp/openo/documentManager/actions/DocumentPreview2Action.java, src/main/java/ca/openosp/openo/encounter/oscarConsultationRequest/pageUtil/ConsultationAttachDocs2Action.java	Added retrieval of provider-scoped private documents using EDocUtil.listDocs with type "providers", logged-in provider number, PRIVATE access level, and OBSERVATIONDATE sort. Documents exposed to view via request attribute.
Frontend Document Display src/main/webapp/documentManager/attachDocument.jsp	New UI section rendering "Private Documents" with header, checkbox-enabled item list (first 20 shown), per-item Preview buttons, select-all functionality, and "Show More" toggle. Follows existing document section patterns.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• D3V41

Poem

🐰 A provider's secrets now shine bright,
Private docs bundled left and right,
New UI sections, mirrors so fine,
Fetch, display, and align,
The document dance—all working right! 📋

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: adding a feature to display providers' private documents in the attachment manager, which is the main objective of the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/show-providers-private-documents-attachment-manager

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @LiamStanziani, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the attachment manager functionality by introducing a dedicated section for private documents owned by the logged-in provider. This allows providers to easily view and manage their personal documents directly within the attachment interface, improving accessibility and workflow efficiency.

Highlights

• Attachment Manager Enhancement: Added a new section within the attachment manager page to display private documents belonging to the currently logged-in provider.
• Provider Document Retrieval: Implemented logic to fetch and make available the private documents associated with the logged-in provider for display.
• User Interface Update: Integrated UI components for listing, selecting, and previewing these private provider documents, including 'Select all' and 'Show More' features.

Changelog

• src/main/java/ca/openosp/openo/documentManager/actions/DocumentPreview2Action.java
  • Retrieved the logged-in provider's number.
  • Fetched a list of private documents associated with the logged-in provider.
  • Made the fetched provider private documents available to the request attributes.
• src/main/java/ca/openosp/openo/encounter/oscarConsultationRequest/pageUtil/ConsultationAttachDocs2Action.java
  • Retrieved the logged-in provider's number.
  • Fetched a list of private documents associated with the logged-in provider.
  • Made the fetched provider private documents available to the request attributes.
• src/main/webapp/documentManager/attachDocument.jsp
  • Added a new conditional section to display 'Private Documents' if providerPrivateDocs are not empty.
  • Implemented a list (
    ) to iterate and display each private document.
    • Included 'Select all' checkbox functionality for private documents.
    • Added a 'Show More' button for lists exceeding 20 private documents.
    • Provided a 'Preview' button for each private document.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[LiamStanziani]

@coderabbitai review

[LiamStanziani]

@SourceryAI review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The logic to fetch provider private documents in both DocumentPreview2Action.populateCommonDocs and ConsultationAttachDocs2Action.fetchAll is duplicated; consider extracting a shared helper to reduce repetition and keep behavior consistent.
• The 'Show X More Private Documents' button always computes ${providerPrivateDocs.size() - 20} even when size ≤ 20 and only hides via CSS; you may want to render the button and its title text conditionally so the DOM doesn’t contain negative or misleading counts.
• The select-all checkbox calls toggleSelectAll(this, 'providerDocument_'); but the individual provider checkboxes use IDs starting with providerDocNo and class providerDocument_check; verify and align the selector/prefix so the select-all behavior works for this new section.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The logic to fetch provider private documents in both DocumentPreview2Action.populateCommonDocs and ConsultationAttachDocs2Action.fetchAll is duplicated; consider extracting a shared helper to reduce repetition and keep behavior consistent.
- The 'Show X More Private Documents' button always computes `${providerPrivateDocs.size() - 20}` even when size ≤ 20 and only hides via CSS; you may want to render the button and its title text conditionally so the DOM doesn’t contain negative or misleading counts.
- The select-all checkbox calls `toggleSelectAll(this, 'providerDocument_');` but the individual provider checkboxes use IDs starting with `providerDocNo` and class `providerDocument_check`; verify and align the selector/prefix so the select-all behavior works for this new section.

## Individual Comments

### Comment 1
<location> `src/main/webapp/documentManager/attachDocument.jsp:381-382` </location>
<code_context>
+                                           onclick="toggleSelectAll(this, 'providerDocument_');" value="providerDocument_check"
+                                           title="Select/un-select all private documents."/>
+                                    <label for="selectAllProviderDocuments">Select all</label>
+                                    <button class="show-all-button ${providerPrivateDocs.size() > 20 ? '' : 'hide'}"
+                                            type="button" title="Show ${providerPrivateDocs.size() - 20} More Private Documents"
+                                            onclick="showAll(this, 'providerDoc')">Show ${providerPrivateDocs.size() - 20} More
+                                        Private Documents
</code_context>

<issue_to_address>
**issue (bug_risk):** When there are fewer than 20 private documents, the hidden button will still contain a negative count in its text/title.

The button is visually hidden when `providerPrivateDocs.size() <= 20`, but the title and label still compute `size() - 20`, so with 5 docs the DOM contains “Show -15 More Private Documents”. This is misleading for assistive tech and could become visible if styles change. Consider only rendering the button when `size() > 20`, or clamping/omitting the count when `size() <= 20`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request adds the functionality to display a provider's private documents in the attachment manager. The changes in the Java action classes correctly fetch the private documents and pass them to the JSP. The JSP is updated to render these documents in a new section. My review has identified a couple of areas with significant code duplication, both in the Java action classes and in the JSP file. I've left comments with suggestions on how to refactor this duplicated code to improve maintainability and consistency. Addressing these points would make the code cleaner and easier to manage in the future.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/main/java/ca/openosp/openo/encounter/oscarConsultationRequest/pageUtil/ConsultationAttachDocs2Action.java (1)

80-171: ⚠️ Potential issue | 🔴 Critical

Missing SecurityInfoManager.hasPrivilege() check in action methods.

The coding guidelines require all Struts2 actions to include SecurityInfoManager.hasPrivilege() checks before performing operations, with the security check as the first operation before any business logic. The fetchAll() method lacks this check. This method accesses sensitive patient health information (labs, documents, forms, eforms, HRM data) without privilege verification, creating a security gap.

Add a privilege check at the top of fetchAll():

Proposed fix

 public String fetchAll() {
+    if (!securityInfoManager.hasPrivilege(LoggedInInfo.getLoggedInInfoFromSession(request), "_con", "r", null)) {
+        throw new SecurityException("missing required sec object (_con)");
+    }
 
     LoggedInInfo loggedInInfo = LoggedInInfo.getLoggedInInfoFromSession(request);

Also inject SecurityInfoManager as a field:

 FaxManager faxManager = SpringUtils.getBean(FaxManager.class);
+SecurityInfoManager securityInfoManager = SpringUtils.getBean(SecurityInfoManager.class);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/main/java/ca/openosp/openo/encounter/oscarConsultationRequest/pageUtil/ConsultationAttachDocs2Action.java`
around lines 80 - 171, The fetchAll() action is missing the required privilege
check; inject a SecurityInfoManager field (e.g., private SecurityInfoManager
securityInfoManager; via SpringUtils.getBean or as a class member) and at the
very start of fetchAll() call securityInfoManager.hasPrivilege(loggedInInfo,
<appropriate-privilege-constant>) (use the same LoggedInInfo obtained by
LoggedInInfo.getLoggedInInfoFromSession(request)); if the check fails return the
appropriate security result (e.g., "security" or redirect/HTTP 403) immediately
before any business logic (before populating labs/docs/forms/HRM) to prevent
access to patient data. Ensure the call and early return are placed in
ConsultationAttachDocs2Action.fetchAll().

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/main/webapp/documentManager/attachDocument.jsp`:
- Line 391: The title attribute is inserting document.description directly into
HTML (title="${ document.description }") creating an XSS risk; change the
attribute to use an encoder such as OWASP Encoder's
Encode.forHtmlAttribute(document.getDescription()) or JSTL
fn:escapeXml(document.description) so the value is HTML-attribute-encoded;
update both occurrences that set title from document.description (the new code
at line ~391 and the pre-existing one around line ~355) to call the encoder
instead of embedding the raw property, keeping the existing <c:out> usage for
label content unchanged.
- Line 389: The private-document checkbox input currently includes the class
"document_check" so toggleSelectAll(this, 'document_') also toggles private
docs; update the input element in attachDocument.jsp (the checkbox with
class="providerDocument_check document_check") to remove the "document_check"
prefix (e.g., use "private_document_check" or just "providerDocument_check") so
it no longer matches the 'document_' selector used by toggleSelectAll; if you
introduce a new class like "private_document_check", ensure any JS that should
target private docs is updated accordingly.

---

Outside diff comments:
In
`@src/main/java/ca/openosp/openo/encounter/oscarConsultationRequest/pageUtil/ConsultationAttachDocs2Action.java`:
- Around line 80-171: The fetchAll() action is missing the required privilege
check; inject a SecurityInfoManager field (e.g., private SecurityInfoManager
securityInfoManager; via SpringUtils.getBean or as a class member) and at the
very start of fetchAll() call securityInfoManager.hasPrivilege(loggedInInfo,
<appropriate-privilege-constant>) (use the same LoggedInInfo obtained by
LoggedInInfo.getLoggedInInfoFromSession(request)); if the check fails return the
appropriate security result (e.g., "security" or redirect/HTTP 403) immediately
before any business logic (before populating labs/docs/forms/HRM) to prevent
access to patient data. Ensure the call and early return are placed in
ConsultationAttachDocs2Action.fetchAll().

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[sebastian-j-ibanez]

@LiamStanziani just want to confirm: this PR is still being worked on, correct?

[LiamStanziani]

@sebastian-j-ibanez This PR is waiting for testing by Keith, not currently working it at the moment but I might need to update it later on if something comes up.

Since this is in draft I will probably need to update it somewhat when setting it ready to review for AI comments, but I plan to do that after Keith has approved the feature behaviour.

[sebastian-j-ibanez]

Okay, sounds good!

Just wanted to make sure this should be kept open.