An empty family with no pedigree has rights that are too permissive


To reproduce:

  1. As User 1, create a new family, F1. (Do not enter any pedigree data.)

  2. As User 2, edit the family F1. Draw a pedigree. (Do not link any individual in the pedigree to a patient record).

  3. Save and close the pedigree.

  4. You will see the error in the attached screenshot.

This happens because on pedigree save, the family (F1) document's permissions are updated to match the aggregate permissions of all of the individuals in the family. These new permissions are more restrictive and now disallow viewing and editing for User 2.

As discussed in dev meeting today, the solution should be to make sure that the family document's permissions also take into account the creator of the document, and restrict the document from viewing/editing by other users. This way, in this case the family (F1) document would not have been editable by User 2 in the first place.




Andrew Misyura
December 12, 2016, 10:17 PM

The fix will disallow User2 to edit the family in the first place

It is a more complicated fix to allow User2 to edit a family created by User1 when no patients owned by User2 are in the family; this has to be done together with a larger family rights refactoring

Daniel Gross
December 5, 2016, 6:11 PM

, yes, that makes sense.

Sergiu Dumitriu
November 30, 2016, 4:50 PM

Then the bug isn't that creator's rights aren't taken into account, but that the rights aren't computed until the family has a pedigree.

Sergiu Dumitriu
November 30, 2016, 4:47 PM

Ah, then I must have misunderstood what you described yesterday.

Daniel Gross
November 30, 2016, 3:22 PM

, I see that you changed the description to say that User 1 will be denied access to the family, but actually the original description (which said User 2) was correct. If you run through the steps to reproduce, you'll see the error in the screenshot that I have just uploaded.
I will revert the description to the way it was.



Andrew Misyura


Daniel Gross