A security hole has been identified in ProEthos related to the "New comment" functionality, which serves as our primary logged communication system between the Secretary and research teams about their proposals.
Currently only users with the roles ("secretary" S) and users with the role ("investigator" I) can see and type in this box "new comment, under Investigator Correspondence". Shown here:
However, some committee members have accounts with both member (M) and investigator (I) access, which means there is a security loophole related to functionality, in which a committee member reviewing a proposal can access this section of a proposal and the "new comment" box and type in it as if they were a member of the research team.
Screen Shot 2024-03-21 at 1 55 49 PM
If one of these members with (I) access accidentally writes a comment in the box "correspondence", instead of "committee communication section", it is a BIG problem. It poses a conflict of interest and compromises the confidentiality of the member and the entire review process. We had an instance of this happening right before PAHOERC's meeting last week.
We have temporarily removed (I) access from all PAHOERC members (M) to avoid repeating this problem, but we need a more stable solution so members who also submit proposals as investigators are able to perform all their functions securely in ProEthos.
This is also an issue that would be relevant for ProEthos users in the country. I am creating a new ticket for this issue since it was only partially resolved and has become a bigger issue for PAHOERC since this issue.
Let me know if you have questions or need more examples of where and how this happens.
A security hole has been identified in ProEthos related to the "New comment" functionality, which serves as our primary logged communication system between the Secretary and research teams about their proposals.
Currently only users with the roles ("secretary" S) and users with the role ("investigator" I) can see and type in this box "new comment, under Investigator Correspondence". Shown here:
However, some committee members have accounts with both member (M) and investigator (I) access, which means there is a security loophole related to functionality, in which a committee member reviewing a proposal can access this section of a proposal and the "new comment" box and type in it as if they were a member of the research team.
Screen Shot 2024-03-21 at 1 55 49 PM
If one of these members with (I) access accidentally writes a comment in the box "correspondence", instead of "committee communication section", it is a BIG problem. It poses a conflict of interest and compromises the confidentiality of the member and the entire review process. We had an instance of this happening right before PAHOERC's meeting last week.
We have temporarily removed (I) access from all PAHOERC members (M) to avoid repeating this problem, but we need a more stable solution so members who also submit proposals as investigators are able to perform all their functions securely in ProEthos.
This is also an issue that would be relevant for ProEthos users in the country. I am creating a new ticket for this issue since it was only partially resolved and has become a bigger issue for PAHOERC since this issue.
Let me know if you have questions or need more examples of where and how this happens.