dhis2-devs team mailing list archive

Thread
Date

Re: User privileges

To: eric mourin <ericmourin@xxxxxxxxxxx>
From: Jason Pickering <jason.p.pickering@xxxxxxxxx>
Date: Wed, 8 Jun 2016 15:57:46 +0200
Cc: "dhis2-devs@xxxxxxxxxxxxxxxxxxx" <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <AM5PR10MB062888C10623A14A16574E42D05E0@AM5PR10MB0628.EURPRD10.PROD.OUTLOOK.COM>

Hi Eric,

I tried to reproduce what you have reported on the demo site, but got this
error.

Organisation unit is not in the hierarchy of the current user: O6uvpzGd5pu

 I created a user called "test" with password "Password1" on
https://play.dhis2.org/demo/ and assigned their data capture unit to
Bombali. I was able to search for "Bo" and got the tree to appear, as you
stated, but ONLY after having logged in as the admin user, which will cache
this OU tree.  I suspect thus, it is a caching problem. When I tried with
an incognito mode browser, I was unable to see "Bo" at all.

For aggregate data, the "Data capture" orgunit should control the hierarchy
which is seen in the data entry screen. Tracker orgunits must be assigned
explicitly.

Could you provide a more detailed step-by-step of how you were able to
enter data, while using incognito mode to exclude caching effects?

Regards,
Jason

On Wed, Jun 8, 2016 at 12:39 PM, eric mourin <ericmourin@xxxxxxxxxxx> wrote:

> Hello devs,
>
>
> We have recently seen that the API endpoints do not limit the information
> that any user can
>
> access right now. Even if an user would not normally have access to
> certain programs on certain orgUnits
>
> right now this data can be accessed if the user knows about the API. This
> effect can also be seen through
>
> the interface on the filter function of the "Data Entry" or "Event
> Capture":
>
>
> -Click on the green search icon
>
> -Type a orgUnit for which the current user does not have access
>
> -Click on the "Find" button
>
>
> Now the restricted orgUnit will now appear on the tree and the user will
> be able to
>
> use it normally. On the other side, if the user knows DHIS and knows how
> the API works he will be able
>
> to access all the information without any kind of restriction since the
> endpoints give all the information.
>
> To sum up, the only security filter DHIS now applies is at interface level.
>
>
> Is this the intended behaviour of DHIS? Will the access to the information
> be restricted in the future somehow?
>
>
> Eric
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>

-- 
Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx
tel:+46764147049

References

User privileges
From: eric mourin, 2016-06-08