We're updating the issue view to help you get more done. 

Users can remove from a family patients that they can't normally access


Steps to reproduce:

  • log in with JohnDoe

  • create a new patient, draw its pedigree

  • log in with Admin

  • create a new patient, add it to JohnDoe's family & pedigree

  • log in with JohnDoe, edit the family

  • correct: JohnDoe cannot click on Admin's patient, view its details, or edit it in any way

  • bug: JohnDoe can delete the whole node from the pedigree

    • In Admin's patient history, the patient appears modified by JohnDoe, even though JohnDoe cannot access that patient

  • consequence bug: if JohnDoe click Undo in the pedigree, saving will fail due to insufficient permissions; the behavior is correct, JohnDoe shouldn't be able to put Admin's patient in a family, and this bug will not be present once the original bug is fixed




Andrew Misyura


Sergiu Dumitriu