eatyourpeas
commented
2 weeks ago Yes let's go through it on thursday. I don't think editor access means you can delete things.
Open dc2007git opened 3 weeks ago
eatyourpeas
commented
2 weeks ago Yes let's go through it on thursday. I don't think editor access means you can delete things.
In the documentation, we specify the permissions that each user type should be granted:
Here we can see that a clinician should NOT be able to delete a Patient instance. However, in the code for the permissions, a clinician has TRUST_AUDIT_TEAM_EDIT_ACCESS permissions, which means they have EDITOR_PERMISSIONS, which means they have the delete_patient permission.
It seems like there is the same discrepancy between the docs and code for deletion permissions for Site and Visit also, for the type clinician. Additionally, for Change, Delete, and Add Site, a clinician would have access to these as per the permissions in the code, whereas the docs say this should not be the case:
@eatyourpeas should we perhaps go over the permissions together? If the table is the ground truth then i'm happy to implement this in the code, or vice versa?