Users can remove from a family patients that they can't normally access


Steps to reproduce:

  • log in with JohnDoe

  • create a new patient, draw its pedigree

  • log in with Admin

  • create a new patient, add it to JohnDoe's family & pedigree

  • log in with JohnDoe, edit the family

  • correct: JohnDoe cannot click on Admin's patient, view its details, or edit it in any way

  • bug: JohnDoe can delete the whole node from the pedigree

    • In Admin's patient history, the patient appears modified by JohnDoe, even though JohnDoe cannot access that patient

  • consequence bug: if JohnDoe click Undo in the pedigree, saving will fail due to insufficient permissions; the behavior is correct, JohnDoe shouldn't be able to put Admin's patient in a family, and this bug will not be present once the original bug is fixed




Andrew Misyura
October 26, 2017, 8:19 PM

I think this is not a bug, or rather there is a bug, but not as described.

First of all, the fact that Admin user added a patient to JohnDoe's family is contrary to the regular workflow (allowed by the special admin privileges, not available to regular users), where no one can add anything to a family until the owner of the family shares the family or a patient with someone else.

I agree the situation is still possible, for example when JohnDoe shares the patient with other user A, who, having access to the family, now added patient X to the pedigree which JohnDoe can not edit. Then the steps to reproduce the problem will work (note: there is a missing step, which is to save the pedigree after deleting thenode. If ther eis no save, undo works and save works after undo). However conceptually this is still JohnDoe's pedigree, and I will argue that JohnDoe has the right to remove anyone and anything from it, just because the workflow for the patient JohnDoe started the pedigree for somehow demands this (e.g. user A who added patient X was not aware of some privacy issues). After all, user A knew the patient is beoing added to someone else's family, so it should not be a surprise the patient got removed from that family.

The only bug here is that if you remove the node, then save, then undo, it happily does the undo and now save actually fails. I would argue that everything is fine, and the only exception is that when JohnDoe remove that patient X and saves the pedigree, there should be a note that JohnDoe wont be able to put patient X back into the pedigree, and undo should not place the patient back there. Patient X will still have JohnDoe in the change log, but I would argue in this case this is correct, since user A knew what he is getting into



Andrew Misyura


Sergiu Dumitriu



External issue ID


Epic Link


Fix versions

Affects versions