← Back to team overview

dhis2-devs team mailing list archive

User privileges

 

Hello devs,


We have recently seen that the API endpoints do not limit the information that any user can

access right now. Even if an user would not normally have access to certain programs on certain orgUnits

right now this data can be accessed if the user knows about the API. This effect can also be seen through

the interface on the filter function of the "Data Entry" or "Event Capture":


-Click on the green search icon

-Type a orgUnit for which the current user does not have access

-Click on the "Find" button


Now the restricted orgUnit will now appear on the tree and the user will be able to

use it normally. On the other side, if the user knows DHIS and knows how the API works he will be able

to access all the information without any kind of restriction since the endpoints give all the information.

To sum up, the only security filter DHIS now applies is at interface level.


Is this the intended behaviour of DHIS? Will the access to the information be restricted in the future somehow?


Eric


Follow ups