Uploaded image for project: 'Reference Application'
  1. Reference Application
  2. RA-269

Users can circumvent access restrictions via REST interface

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Backlog
    • Priority: TBD
    • Resolution: Unresolved
    • Affects Version/s: OpenMRS 2.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Complexity:
      Undetermined

      Description

      All user accounts seem to have "Privilege Level: Full" and REST interface is unaware of other access restrictions implemented in the UI layer.

      Most reasonable fix is probably to create roles with specific privileges. Perhaps using the Privilege Helper module.

      (We have same issue in KenyaEMR and so have temporarily removed the REST module.. but we'll need it in future so interested to see how you address this. Would also be interested to read anything you guys have about your security model in general.)

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            rowanseymour Rowan Seymour
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: