NHSDigital · sandyforresternhs · Mar 12, 2026 · Feb 26, 2026 · Mar 3, 2026 · Mar 5, 2026
@@ -45,12 +45,18 @@ def handler(
             diagnostics="The requested DocumentReference could not be found"
         )
 
-    if result.type not in metadata.pointer_types:
+    allowed_types = (
+        metadata.nrl_permissions_policy.types
+        if metadata.nrl_permissions_policy
+        else metadata.pointer_types
+    )
+
+    if result.type not in allowed_types:
         logger.log(
             LogReference.CONREAD002,
             ods_code=metadata.ods_code,
             type=result.type,
-            pointer_types=metadata.pointer_types,
+            pointer_types=allowed_types,
         )
         return SpineErrorResponse.ACCESS_DENIED(
             diagnostics="The requested DocumentReference is not of a type that this organisation is allowed to access"

@@ -1,8 +1,10 @@
 import json
+from unittest.mock import patch
 
 from moto import mock_aws
 
 from api.consumer.readDocumentReference.read_document_reference import handler
+from nrlf.core.constants import CLIENT_RP_DETAILS, V2Headers
 from nrlf.core.dynamodb.repository import DocumentPointer, DocumentPointerRepository
 from nrlf.tests.data import load_document_reference
 from nrlf.tests.dynamodb import mock_repository
@@ -41,6 +43,47 @@ def test_read_document_reference_happy_path(
     assert parsed_body == doc_ref.model_dump(exclude_none=True)
 
 
+@mock_aws
+@mock_repository
+@patch("nrlf.core.decorators.get_pointer_permissions_v2")
+def test_read_document_reference_happy_path_v2(
+    get_pointer_permissions_mock, repository: DocumentPointerRepository
+):
+    doc_ref = load_document_reference("Y05868-736253002-Valid")
+    doc_pointer = DocumentPointer.from_document_reference(doc_ref)
+    repository.create(doc_pointer)
+
+    v2_headers = create_headers(
+        additional_headers={
+            V2Headers.NHSD_END_USER_ORGANISATION_ODS: "Y05868",
+            V2Headers.NHSD_NRL_APP_ID: "Y05868-TestApp-12345678",
+        }
+    )
+    v2_headers.pop(CLIENT_RP_DETAILS)
+
+    get_pointer_permissions_mock.return_value = {
+        "access_controls": [],
+        "types": ["http://snomed.info/sct|736253002"],
+    }
+
+    event = create_test_api_gateway_event(
+        headers=v2_headers,
+        path_parameters={"id": doc_pointer.id},
+    )
+
+    result = handler(event, create_mock_context())
+    body = result.pop("body")
+
+    assert result == {
+        "statusCode": "200",
+        "headers": default_response_headers(),
+        "isBase64Encoded": False,
+    }
+
+    parsed_body = json.loads(body)
+    assert parsed_body == doc_ref.model_dump(exclude_none=True)
+
+
 @mock_aws
 @mock_repository
 def test_read_document_reference_not_found(repository: DocumentPointerRepository):
@@ -159,6 +202,65 @@ def test_read_document_reference_unauthorised_for_type(
     }
 
 
+@mock_aws
+@mock_repository
+@patch("nrlf.core.decorators.get_pointer_permissions_v2")
+def test_read_document_reference_unauthorised_for_type_v2(
+    get_pointer_permissions_mock, repository: DocumentPointerRepository
+):
+    doc_ref = load_document_reference("Y05868-736253002-Valid")
+    doc_pointer = DocumentPointer.from_document_reference(doc_ref)
+    repository.create(doc_pointer)
+
+    headers = create_headers(
+        additional_headers={
+            V2Headers.NHSD_END_USER_ORGANISATION_ODS: "Y05868",
+            V2Headers.NHSD_NRL_APP_ID: "Y05868-TestApp-12345678",
+        }
+    )
+    headers.pop("nhsd-client-rp-details")
+
+    get_pointer_permissions_mock.return_value = {
+        "access_controls": [],
+        "types": ["http://snomed.info/sct|736373009"],
+    }
+
+    event = create_test_api_gateway_event(
+        headers=headers,
+        path_parameters={"id": doc_pointer.id},
+    )
+
+    result = handler(event, create_mock_context())
+    body = result.pop("body")
+
+    assert result == {
+        "statusCode": "403",
+        "headers": default_response_headers(),
+        "isBase64Encoded": False,
+    }
+
+    parsed_body = json.loads(body)
+    assert parsed_body == {
+        "resourceType": "OperationOutcome",
+        "issue": [
+            {
+                "severity": "error",
+                "code": "forbidden",
+                "details": {
+                    "coding": [
+                        {
+                            "code": "ACCESS DENIED",
+                            "display": "Access has been denied to process this request",
+                            "system": "https://fhir.nhs.uk/CodeSystem/Spine-ErrorOrWarningCode",
+                        }
+                    ]
+                },
+                "diagnostics": "The requested DocumentReference is not of a type that this organisation is allowed to access",
+            }
+        ],
+    }
+
+
 @mock_aws
 @mock_repository
 def test_document_reference_invalid_json(repository: DocumentPointerRepository):

@@ -50,11 +50,17 @@ def handler(
     base_url = f"https://{config.ENVIRONMENT}.api.service.nhs.uk/"
     self_link = f"{base_url}record-locator/consumer/FHIR/R4/DocumentReference?subject:identifier=https://fhir.nhs.uk/Id/nhs-number|{params.nhs_number}"
 
-    if not validate_type(params.type, metadata.pointer_types):
+    allowed_types = (
+        metadata.nrl_permissions_policy.types
+        if metadata.nrl_permissions_policy
+        else metadata.pointer_types
+    )
+
+    if not validate_type(params.type, allowed_types):
         logger.log(
             LogReference.CONSEARCH002,
             type=params.type,
-            pointer_types=metadata.pointer_types,
+            pointer_types=allowed_types,
         )
         return SpineErrorResponse.INVALID_CODE_SYSTEM(
             diagnostics="Invalid query parameter (The provided type does not match the allowed types for this organisation)",
@@ -80,7 +86,7 @@ def handler(
     if custodian_id:
         self_link += f"&custodian:identifier=https://fhir.nhs.uk/Id/ods-organization-code|{custodian_id}"
 
-    pointer_types = [params.type.root] if params.type else metadata.pointer_types
+    pointer_types = [params.type.root] if params.type else allowed_types
     if params.type:
         self_link += f"&type={params.type.root}"
 

@@ -7,9 +7,11 @@
 from nrlf.consumer.fhir.r4.model import CodeableConcept, Identifier
 from nrlf.core.constants import (
     CATEGORY_ATTRIBUTES,
+    CLIENT_RP_DETAILS,
     TYPE_ATTRIBUTES,
     Categories,
     PointerTypes,
+    V2Headers,
 )
 from nrlf.core.dynamodb.repository import DocumentPointer, DocumentPointerRepository
 from nrlf.tests.data import load_document_reference
@@ -63,6 +65,60 @@ def test_search_document_reference_happy_path(
     }
 
 
+@mock_aws
+@mock_repository
+@patch("nrlf.core.decorators.get_pointer_permissions_v2")
+def test_search_document_reference_happy_path_v2(
+    get_pointer_permissions_mock, repository: DocumentPointerRepository
+):
+    doc_ref = load_document_reference("Y05868-736253002-Valid")
+    doc_pointer = DocumentPointer.from_document_reference(doc_ref)
+    repository.create(doc_pointer)
+
+    v2_headers = create_headers(
+        additional_headers={
+            V2Headers.NHSD_END_USER_ORGANISATION_ODS: "Y05868",
+            V2Headers.NHSD_NRL_APP_ID: "Y05868-TestApp-12345678",
+        }
+    )
+    v2_headers.pop(CLIENT_RP_DETAILS)
+
+    get_pointer_permissions_mock.return_value = {
+        "access_controls": [],
+        "types": ["http://snomed.info/sct|736253002"],
+    }
+
+    event = create_test_api_gateway_event(
+        headers=v2_headers,
+        query_string_parameters={
+            "subject:identifier": "https://fhir.nhs.uk/Id/nhs-number|6700028191",
+        },
+    )
+
+    result = handler(event, create_mock_context())
+    body = result.pop("body")
+
+    assert result == {
+        "statusCode": "200",
+        "headers": default_response_headers(),
+        "isBase64Encoded": False,
+    }
+
+    parsed_body = json.loads(body)
+    assert parsed_body == {
+        "resourceType": "Bundle",
+        "type": "searchset",
+        "link": [
+            {
+                "relation": "self",
+                "url": "https://pytest.api.service.nhs.uk/record-locator/consumer/FHIR/R4/DocumentReference?subject:identifier=https://fhir.nhs.uk/Id/nhs-number|6700028191",
+            }
+        ],
+        "total": 1,
+        "entry": [{"resource": doc_ref.model_dump(exclude_none=True)}],
+    }
+
+
 @mock_aws
 @mock_repository
 def test_search_document_reference_accession_number_in_pointer(
@@ -680,6 +736,65 @@ def test_search_document_reference_invalid_type(
     }
 
 
+@mock_aws
+@mock_repository
+@patch("nrlf.core.decorators.get_pointer_permissions_v2")
+def test_search_document_reference_invalid_type_v2(
+    get_pointer_permissions_mock, repository: DocumentPointerRepository
+):
+    v2_headers = create_headers(
+        additional_headers={
+            V2Headers.NHSD_END_USER_ORGANISATION_ODS: "Y05868",
+            V2Headers.NHSD_NRL_APP_ID: "Y05868-TestApp-12345678",
+        }
+    )
+    v2_headers.pop(CLIENT_RP_DETAILS)
+
+    get_pointer_permissions_mock.return_value = {
+        "access_controls": [],
+        "types": ["http://snomed.info/sct|736253002"],
+    }
+
+    event = create_test_api_gateway_event(
+        headers=v2_headers,
+        query_string_parameters={
+            "subject:identifier": "https://fhir.nhs.uk/Id/nhs-number|6700028191",
+            "type": "http://snomed.info/sct|861421000000109",
+        },
+    )
+
+    result = handler(event, create_mock_context())
+    body = result.pop("body")
+
+    assert result == {
+        "statusCode": "400",
+        "headers": default_response_headers(),
+        "isBase64Encoded": False,
+    }
+
+    parsed_body = json.loads(body)
+    assert parsed_body == {
+        "resourceType": "OperationOutcome",
+        "issue": [
+            {
+                "severity": "error",
+                "code": "code-invalid",
+                "details": {
+                    "coding": [
+                        {
+                            "code": "INVALID_CODE_SYSTEM",
+                            "display": "Invalid code system",
+                            "system": "https://fhir.nhs.uk/CodeSystem/Spine-ErrorOrWarningCode",
+                        }
+                    ]
+                },
+                "diagnostics": "Invalid query parameter (The provided type does not match the allowed types for this organisation)",
+                "expression": ["type"],
+            }
+        ],
+    }
+
+
 @mock_aws
 @mock_repository
 def test_search_document_reference_invalid_category(

@@ -50,11 +50,17 @@ def handler(
     base_url = f"https://{config.ENVIRONMENT}.api.service.nhs.uk/"
     self_link = f"{base_url}record-locator/consumer/FHIR/R4/DocumentReference?subject:identifier=https://fhir.nhs.uk/Id/nhs-number|{body.nhs_number}"
 
-    if not validate_type(body.type, metadata.pointer_types):
+    allowed_types = (
+        metadata.nrl_permissions_policy.types
+        if metadata.nrl_permissions_policy
+        else metadata.pointer_types
+    )
+
+    if not validate_type(body.type, allowed_types):
         logger.log(
             LogReference.CONPOSTSEARCH002,
             type=body.type,
-            pointer_types=metadata.pointer_types,
+            pointer_types=allowed_types,
         )
         return SpineErrorResponse.INVALID_CODE_SYSTEM(
             diagnostics="The provided type does not match the allowed types for this organisation",
@@ -80,7 +86,7 @@ def handler(
     if custodian_id:
         self_link += f"&custodian:identifier=https://fhir.nhs.uk/Id/ods-organization-code|{custodian_id}"
 
-    pointer_types = [body.type.root] if body.type else metadata.pointer_types
+    pointer_types = [body.type.root] if body.type else allowed_types
     if body.type:
         self_link += f"&type={body.type.root}"