We're updating the issue view to help you get more done. 

Users can remove from a family patients that they can't normally access

Description

Steps to reproduce:

  • log in with JohnDoe

  • create a new patient, draw its pedigree

  • log in with Admin

  • create a new patient, add it to JohnDoe's family & pedigree

  • log in with JohnDoe, edit the family

  • correct: JohnDoe cannot click on Admin's patient, view its details, or edit it in any way

  • bug: JohnDoe can delete the whole node from the pedigree

    • In Admin's patient history, the patient appears modified by JohnDoe, even though JohnDoe cannot access that patient

  • consequence bug: if JohnDoe click Undo in the pedigree, saving will fail due to insufficient permissions; the behavior is correct, JohnDoe shouldn't be able to put Admin's patient in a family, and this bug will not be present once the original bug is fixed

Environment

None

Status

Assignee

Andrew Misyura

Reporter

Sergiu Dumitriu

Labels

None

External issue ID

None

External issue ID

None

Epic Link

Components

Fix versions

Affects versions

1.3.2
1.4-milestone-1

Priority

Medium