Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-203

Deleting Patients is possible without proper permissions

    XMLWordPrintable

    Details

    • Complexity:
      Medium
    • Development:

      Description

      The following is possible (just confirmed on demo.openmrs.org):

      1. Create a new role that has all permissions except for "Delete Patients"
        2. Create a new user, and give them this role only.
        3. Become this user
        4. Go to Administration -> Manage Patients, find a patient, go into their record
        5. Click "Voided", give it a reason, and Save Patient

      This works fine, but should not be possible without "Delete Patient" privileges.

        Gliffy Diagrams

          Attachments

          1. TRUNK-203-1.patch
            2 kB
          2. TRUNK-203-2.patch
            2 kB
          3. TRUNK-203-3.patch
            1 kB

            Issue Links

              Activity

                People

                Assignee:
                ajanthan Balachandiran Ajanthan
                Reporter:
                mseaton Mike Seaton
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: