Uploaded image for project: 'Reference Application'
  1. Reference Application
  2. RA-269

Users can circumvent access restrictions via REST interface

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Backlog
    • Priority: TBD
    • Resolution: Unresolved
    • Affects Version/s: OpenMRS 2.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Complexity:
      Undetermined

      Description

      All user accounts seem to have "Privilege Level: Full" and REST interface is unaware of other access restrictions implemented in the UI layer.

      Most reasonable fix is probably to create roles with specific privileges. Perhaps using the Privilege Helper module.

      (We have same issue in KenyaEMR and so have temporarily removed the REST module.. but we'll need it in future so interested to see how you address this. Would also be interested to read anything you guys have about your security model in general.)

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              rowanseymour Rowan Seymour
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: