When using the OrderService to save OrderGroups, I noticed that I was able to save underlying Drug Orders that should have failed validation and should not have been allowed (eg. Drug Orders using SimpleDosingInstructions that had null dose, doseUnits, route, frequency, etc).
This is likely due to our implementation of validation, which is typically done via AOP on services that match a certain patter (eg. saveXyz(Xyz toSave), where Xyz is an OpenmrsObject with an associated validator).
If a given type lacks a validator, and if it's underlying implementation does not explicitly save nested objects by calling back out to the Context (rather than calling internal methods), then the underlying objects will never get validated.
This seems to be the case here. We have a method:
OrderGroup has no associated validator, so no validation occurs at all around this method call itself.
Within it's implementation, the code iterates over the underlying Orders in the group, and calls
Because it is calling "saveOrder" internally like this, and not calling "Context.getOrderService().saveOrder(order, null), the AOP validation logic around the DrugOrder and Order classes are themselves never getting called.
The fix here is to do one or both of the following:
- Add an OrderGroupValidator implementation that recursively validates the underlying Orders
- Change the implementation of saveOrderGroup to call Context.getOrderService().saveOrder(order, null), instead of just calling the method directly within the class.