Skip to main content
The Prescription Controller provides PDF generation and access control for medical prescriptions. All authenticated users can access prescriptions based on ownership validation.

Authentication

All endpoints require:
  • Middleware: auth, verified

Authorization

Access to prescriptions is controlled by the authorizeAccess() method with role-based rules:
  • Admin: Full access to all prescriptions
  • Doctor: Access to prescriptions from their own consultations
  • Patient: Access to their own prescriptions only
  • Receptionist: Full access (for distributing prescriptions to patients)
Unauthorized access returns 403 error: “No tienes acceso a esta receta.”

Endpoints

Download Prescription

GET /prescriptions/{prescription}/download
Generates and downloads the prescription as a PDF file.

Path Parameters

prescription
integer
required
Prescription ID

Response

Returns a downloadable PDF file with filename format: 
receta-{patient_full_name}-{YYYYMMDD}.pdf
Example: receta-Juan Perez-20260304.pdf

Headers

Content-Type: application/pdf
Content-Disposition: attachment; filename="receta-Juan Perez-20260304.pdf"

Preview Prescription

GET /prescriptions/{prescription}/preview
Generates and displays the prescription PDF in the browser (inline view).

Path Parameters

prescription
integer
required
Prescription ID

Response

Returns a PDF stream for inline browser viewing.

Headers

Content-Type: application/pdf
Content-Disposition: inline

Authorization Logic

The controller validates access using the following logic:

Admin Role

if ($user->hasRole('admin')) {
    return; // Full access
}

Doctor Role

if ($user->hasRole('doctor') && 
    $prescription->consultation->doctor_id === $user->id) {
    return; // Access granted
}
Doctors can only access prescriptions from consultations they conducted.

Patient Role

if ($user->hasRole('patient')) {
    $patient = Patient::where('user_id', $user->id)->first();
    if ($patient && $prescription->patient_id === $patient->id) {
        return; // Access granted
    }
}
Patients can only access their own prescriptions.

Receptionist Role

if ($user->hasRole('receptionist')) {
    return; // Full access
}
Receptionists can access all prescriptions to assist with distribution.

PDF Generation

Prescriptions are generated using the GeneratePrescriptionPdfAction action class.

Required Relationships

Before generating the PDF, the consultation relationship must be loaded: 
$prescription->load('consultation');

Prescription Data Structure

prescription
object
Prescription model with relationships
id
integer
Prescription ID
consultation_id
integer
Associated consultation ID
patient_id
integer
Patient ID
patient
object
Patient information (name, document ID, etc.)
doctor_id
integer
Prescribing doctor ID
doctor
object
Doctor information (name, credentials)
items
array
Array of prescribed medications
medication
string
Medication name
dosage
string
Dosage instructions
frequency
string
Administration frequency
duration
string
Treatment duration
general_instructions
string
General prescription instructions
created_at
datetime
Prescription creation timestamp

Implementation Details

  • Source: app/Http/Controllers/PrescriptionController.php
  • Routes: /prescriptions/{prescription}/download and /prescriptions/{prescription}/preview
  • Uses action class: GeneratePrescriptionPdfAction
  • Soft deletes enabled on Prescription model
  • Relationships: consultation, patient, doctor

Security Considerations

  1. Server-Side Validation: All access checks are performed server-side before PDF generation
  2. Consultation Loading: The consultation relationship must be loaded for doctor ownership validation
  3. Patient Matching: Patient role access requires matching the patient record linked to the user account
  4. No Direct Database IDs in URLs: Uses route model binding for secure ID resolution

Use Cases

Doctor Workflow

  1. Create consultation with prescription data via Consultation Controller
  2. Preview prescription: GET /prescriptions/{id}/preview
  3. Share download link with patient

Patient Workflow

  1. View consultation history on patient portal
  2. Download prescription: GET /prescriptions/{id}/download
  3. Print or save PDF for pharmacy

Receptionist Workflow

  1. Access patient record
  2. Print prescription: GET /prescriptions/{id}/download
  3. Provide physical copy to patient

Error Responses

403 Forbidden

{
  "message": "No tienes acceso a esta receta."
}
Returned when user attempts to access a prescription they don’t have permission to view.

404 Not Found

Returned when prescription ID doesn’t exist or has been soft deleted.

Build docs developers (and LLMs) love

Get started for freeTalk to us