[TRUNK-203] Deleting Patients is possible without proper permissions - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Should
Resolution: Fixed
Affects Version/s: None
Fix Version/s: OpenMRS 1.9.0
Component/s: None
Labels:
- april2011-dev-sprint

Complexity:
Medium
Development:

1 commit

Description

The following is possible (just confirmed on demo.openmrs.org):

Create a new role that has all permissions except for "Delete Patients"
2. Create a new user, and give them this role only.
3. Become this user
4. Go to Administration -> Manage Patients, find a patient, go into their record
5. Click "Voided", give it a reason, and Save Patient

This works fine, but should not be possible without "Delete Patient" privileges.

Gliffy Diagrams

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

TRUNK-203-1.patch
2 kB
2011-04-12 14:31:23 GMT
TRUNK-203-2.patch
2 kB
2011-04-13 10:38:39 GMT
TRUNK-203-3.patch
1 kB
2011-04-13 12:39:25 GMT

Issue Links

is resolved by

TRUNK-226 Voiding a patient should void patient's related data

Closed

Activity

People

Assignee:: Balachandiran Ajanthan

Reporter:: Mike Seaton

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2010-06-21 17:59:37 GMT

Updated:: 2011-04-14 13:32:53 GMT

Resolved:: 2011-04-14 13:32:53 GMT