Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-203

Deleting Patients is possible without proper permissions

    XMLWordPrintable

    Details

    • Complexity:
      Medium

      Description

      The following is possible (just confirmed on demo.openmrs.org):

      1. Create a new role that has all permissions except for "Delete Patients"
        2. Create a new user, and give them this role only.
        3. Become this user
        4. Go to Administration -> Manage Patients, find a patient, go into their record
        5. Click "Voided", give it a reason, and Save Patient

      This works fine, but should not be possible without "Delete Patient" privileges.

        Attachments

        1. TRUNK-203-3.patch
          1 kB
        2. TRUNK-203-2.patch
          2 kB
        3. TRUNK-203-1.patch
          2 kB

          Issue Links

            Activity

              People

              Assignee:
              ajanthan Balachandiran Ajanthan
              Reporter:
              mseaton Mike Seaton
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: