Currently, many of the controller methods do not check for access control beyond a user belonging to a role.
For example, this means that any doctor may be able to take actions on cases that they aren't assigned to.
There are currently two service methods implemented at a basic level to achieve some granularity. These are only used in a few places across the controllers.
Currently, many of the controller methods do not check for access control beyond a user belonging to a role. For example, this means that any doctor may be able to take actions on cases that they aren't assigned to.
There are currently two service methods implemented at a basic level to achieve some granularity. These are only used in a few places across the controllers.