Closed AmaniKrayemRCPCH closed 7 months ago
AmaniKrayemRCPCH
commented
7 months ago I can confirm, after testing on the dummy accounts, that lead clinicians can see users and patients from other community paediatrics teams outwith their trust. As such, flagging as a security issue and labelled as highest priority.
There is no real patient/user data in the above screenshots.
eatyourpeas
commented
7 months ago Thanks @AmaniKrayemRCPCH for picking this up. Just goes to show how good the django icontains filter is. You are right that it has been filtering all parent organisations which are similar, ie that contain community in them. Be reassured that while they can view each others users and children, they cannot edit them at least. I have pushed a fix.
When viewing a list of users under a 'community paediatrics' organisation, users from other community paeds organisations in other Trusts also appear.