dhis2-devs team mailing list archive

Thread
Date

[Bug 1549386] [NEW] User Can see Org Units not assigned to their user

To: dhis2-devs@xxxxxxxxxxxxxxxxxxx
From: Timothy Harding <tharding@xxxxxxxxxxxxxx>
Date: Wed, 24 Feb 2016 17:04:34 -0000
Reply-to: Bug 1549386 <1549386@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

This seems familiar to #1230385
https://bugs.launchpad.net/bugs/1230385

The org unit tree in the hierarchy tree (shown in various apps such as
the org unit editor or data entry app) will often misbehave for
restricted users and show the entire OU tree from the root level down.
I've seen this in production systems for very restricted "data entry
only" accounts, to super users assigned only to one OU on test systems.
I'm having trouble nailing down the exact steps to reproduce, but I've
seen it enough times now that it wasn't an isolated event. The only way
to get it to reset it seems is to both reset the browser cache (the hard
way), unassigned that user from the OU, save, and reassign that user to
their OU.

One thing I also notice is if you hop into the API, you can get a full
listing of OU units regardless of the one you are assigned. Certain use
cases consider the OU tree as sensitive data, so should every user have
access to the entire tree via the API?

** Affects: dhis2
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549386

Title:
  User Can see Org Units not assigned to their user

Status in DHIS:
  New

Bug description:
  This seems familiar to #1230385
  https://bugs.launchpad.net/bugs/1230385

  The org unit tree in the hierarchy tree (shown in various apps such as
  the org unit editor or data entry app) will often misbehave for
  restricted users and show the entire OU tree from the root level down.
  I've seen this in production systems for very restricted "data entry
  only" accounts, to super users assigned only to one OU on test
  systems. I'm having trouble nailing down the exact steps to reproduce,
  but I've seen it enough times now that it wasn't an isolated event.
  The only way to get it to reset it seems is to both reset the browser
  cache (the hard way), unassigned that user from the OU, save, and
  reassign that user to their OU.

  One thing I also notice is if you hop into the API, you can get a full
  listing of OU units regardless of the one you are assigned. Certain
  use cases consider the OU tree as sensitive data, so should every user
  have access to the entire tree via the API?

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549386/+subscriptions