dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #45322
User privileges
-
To:
"dhis2-devs@xxxxxxxxxxxxxxxxxxx" <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
-
From:
eric mourin <ericmourin@xxxxxxxxxxx>
-
Date:
Wed, 8 Jun 2016 10:39:36 +0000
-
Accept-language:
en-US
-
Authentication-results:
spf=softfail (sender IP is 25.152.4.54) smtp.mailfrom=hotmail.com; lists.launchpad.net; dkim=none (message not signed) header.d=none;lists.launchpad.net; dmarc=fail action=none header.from=hotmail.com;
-
Thread-index:
AQHRwW+iZFQJ2E1CokK8fQY+OuXUew==
-
Thread-topic:
User privileges
Hello devs,
We have recently seen that the API endpoints do not limit the information that any user can
access right now. Even if an user would not normally have access to certain programs on certain orgUnits
right now this data can be accessed if the user knows about the API. This effect can also be seen through
the interface on the filter function of the "Data Entry" or "Event Capture":
-Click on the green search icon
-Type a orgUnit for which the current user does not have access
-Click on the "Find" button
Now the restricted orgUnit will now appear on the tree and the user will be able to
use it normally. On the other side, if the user knows DHIS and knows how the API works he will be able
to access all the information without any kind of restriction since the endpoints give all the information.
To sum up, the only security filter DHIS now applies is at interface level.
Is this the intended behaviour of DHIS? Will the access to the information be restricted in the future somehow?
Eric
Follow ups