Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-203

Deleting Patients is possible without proper permissions

    Details

    • Complexity:
      Medium

      Description

      The following is possible (just confirmed on demo.openmrs.org):

      1. Create a new role that has all permissions except for "Delete Patients"
        2. Create a new user, and give them this role only.
        3. Become this user
        4. Go to Administration -> Manage Patients, find a patient, go into their record
        5. Click "Voided", give it a reason, and Save Patient

      This works fine, but should not be possible without "Delete Patient" privileges.

        Gliffy Diagrams

          Attachments

          1. TRUNK-203-1.patch
            2 kB
          2. TRUNK-203-2.patch
            2 kB
          3. TRUNK-203-3.patch
            1 kB

            Issue Links

              Attachments-Category-Modification

                Activity

                  People

                  • Assignee:
                    ajanthan Balachandiran Ajanthan
                    Reporter:
                    mseaton Mike Seaton
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    5 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: