search

SORMAS-Foundation / SORMAS-Project

SORMAS (Surveillance, Outbreak Response Management and Analysis System) is an early warning and management system to fight the spread of infectious diseases.
https://sormas.org
GNU General Public License v3.0
293 stars 143 forks source link

[Users] Users limited by a disease should not be able to delete and edit entities of other diseases [2] #11715

Closed adinaflorea9 closed 1 year ago

adinaflorea9 commented 1 year ago

Problem Description

Users that are restricted by a certain disease can delete and edit entities of other diseases (that they are not the reporter of/or the assignee of) if they have the URL of the entity.

This behavior is reproducible for:

For immunizations, the behavior is not reproducible as either the whole page is read only (including the 'Delete' button) or a warning message appears when the user tries to delete the immunization, informing them that the immunization is out of their jurisdiction.

Reproduction Steps

  1. Logged in with an Admin+NatUser copy the URLs of multiple entities of any disease other than Dengue;
  2. Log in with a configured user (it can be configured to have all of the user rights) that is restricted to 'Dengue';
  3. Paste each copied URL, observe the status of the 'Delete' button (is enabled);
  4. Delete the entity.

Proposed change

The user restricted by disease should not be able to delete and edit entities that are outside their 'disease jurisdiction'.

Added Value/Benefit

Consistency in what concerns the delete and edit rights of restricted users.

Acceptance Criteria

Users restricted by a disease can not edit or delete entities of other diseases that they are not the reporter of/assignee of. (It's fine that they can still access it because we don't have a pattern in place that restricts users from accessing data when entering the specific URL right now)

Implementation details

Additional Information

Note regarding entities that do not have disease as a mandatory field - the user restricted by a certain disease will not have access to them or to edit the entities that have no associated disease.

Event groups the logic here will not be changed with the current ticket. A separate change request will be created for it.

leventegal-she commented 1 year ago

This is not a bug, this restriction was never implemented. For example cases are even editable not only deletable.

Should be changed into feature and needs refinement

adinaflorea9 commented 1 year ago

Verified ticket on https://test.sormas.netzlink.com/ using SORMAS version - 1.84.0-SNAPSHOT(31e72ae).

StefanKock commented 1 year ago

Probably unintended change to persistence.xml !

StefanKock commented 1 year ago

Probably unintended change to persistence.xml !

Was already fixed by aaec448dcb42ec1fdfbe5f70b4d68570d23afbd2