Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-203

Deleting Patients is possible without proper permissions

    Details

    • Complexity:
      Medium

      Description

      The following is possible (just confirmed on demo.openmrs.org):

      1. Create a new role that has all permissions except for "Delete Patients"
        2. Create a new user, and give them this role only.
        3. Become this user
        4. Go to Administration -> Manage Patients, find a patient, go into their record
        5. Click "Voided", give it a reason, and Save Patient

      This works fine, but should not be possible without "Delete Patient" privileges.

        Attachments

        1. TRUNK-203-1.patch
          2 kB
          Balachandiran Ajanthan
        2. TRUNK-203-2.patch
          2 kB
          Balachandiran Ajanthan
        3. TRUNK-203-3.patch
          1 kB
          Balachandiran Ajanthan

          Issue Links

            Activity

              People

              • Assignee:
                ajanthan Balachandiran Ajanthan
                Reporter:
                mseaton Mike Seaton
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: