An empty family with no pedigree has rights that are too permissive

Description

To reproduce:

  1. As User 1, create a new family, F1. (Do not enter any pedigree data.)

  2. As User 2, edit the family F1. Draw a pedigree. (Do not link any individual in the pedigree to a patient record).

  3. Save and close the pedigree.

  4. You will see the error in the attached screenshot.

This happens because on pedigree save, the family (F1) document's permissions are updated to match the aggregate permissions of all of the individuals in the family. These new permissions are more restrictive and now disallow viewing and editing for User 2.

As discussed in dev meeting today, the solution should be to make sure that the family document's permissions also take into account the creator of the document, and restrict the document from viewing/editing by other users. This way, in this case the family (F1) document would not have been editable by User 2 in the first place.

Environment

None

Status

Assignee

Andrew Misyura

Reporter

Daniel Gross

Labels

None

External issue ID

None

External issue ID

None

Epic Link

Components

Fix versions

Affects versions

Priority

Medium
Configure