Open pauljohanneskraft opened 2 weeks ago
We would need to attach a role to a clinician and we need to define the types of roles and what they should access.
We should explore this in combination with having cloud functions that observe clinician roles and changes in roles -> permissions mappings and store these as claims in Firebase Auth (https://firebase.google.com/docs/auth/admin/custom-claims).
Problem
Currently, the security rules do not consider all the information we have specified in the data scheme document.
Solution
Update the rules so that each clinician can only access patient data of the same organization and each patient can only access their own information. Top-level data may be available for every user (e.g. /medications/$medicationId$)
Additional context
No response
Code of Conduct