SORMAS-Project icon indicating copy to clipboard operation
SORMAS-Project copied to clipboard

Published 20 hours ago verified publisher icon SORMAS-Foundation

Consider right EVENT_VIEW (View existing events) in the case directory

Open KernB opened this issue 2 years ago • 1 comments

Bug Description

A user without the right EVENT_VIEW (View existing events) can see data about the event in the case directory.

image

Steps to Reproduce

  1. Log in as Admin and find a user whit hasn't the rights "View existing events" / EVENT_VIEW
  2. Login with this user e.g. beke1 / B-Rolle
  3. Open the case directory in the detailed view

Expected Behavior

  • [ ] Hide the columns related to events.
  • [ ] The data should not be put into the CaseDataIndexDto as-well when the user right is not present

Screenshots

User roll in the admin view image

System Details

  • Device: Laptop
  • SORMAS version: 1.75.0
  • Android version/Browser: Chrome
  • Server URL: test1401
  • User Role: Admin / beke1

Additional Information

KernB avatar Sep 13 '22 09:09 KernB

Solution as discussed with @MartinWahnschaffe: UI: Hide columns if EVENT_VIEW is not given Backend: hide there, too and leave empty

SahaLinaPrueger avatar Sep 21 '22 10:09 SahaLinaPrueger

Verified ticket on local environment using the latest version of Sormas 1.76.0-SNAPSHOT from the development branch.

roxanamlendea avatar Oct 03 '22 06:10 roxanamlendea