cht-core Restrict which contacts can be deleted by a user with `can_delete

Restrict which contacts can be deleted by a user with `can_delete_contact` permission

Open jkuester opened this issue 1 year ago • 2 comments

What feature do you want to improve? Users with the can_delete_contact permission have an entry shown in the "more options" context menu for a contact that allows them to delete that contact. However, there is no way (as far as I can tell) to limit which contacts can be deleted by the user. (Basically, they can remove any of the contacts they have access to.)

https://github.com/medic/cht-core/blob/3c3accebdfba8db7ad2c5261eeb75da79e7ad56c/webapp/src/ts/modules/contacts/contacts-more-menu.component.ts#L113

Describe the improvement you'd like There needs to be some way to be able to specify which which contacts a user can (or cannot) delete. Perhaps this is a boolean evaluation (similar to a form expression? At the very least, user's should never be allowed to delete their own contact (since this will render them unable to submit any app forms).

Describe alternatives you've considered Currently, I logged this as an Improvement, but since user's can actually break themselves by deleting their own contact, it might make sense to re-label this as a bug....

Additional context Originally reported on the forum where it was noted:

Unfortunately, we have encountered a scenario where a CHW accidentally deleted themselves. There is also a real possibility of accidentally deleting other CHWs and impacting their work.

Jan 29 '24 19:01 jkuester

One alternative is to just restrict the user so they cannot delete themselves which could be done in code not configuration. This means it would work out of the box and protect other users from this without requiring any configuration.

I imagine the impact when this happens is the user is then unable to do just about anything in the app. Another alternative solution is to not allow deletion of any contact that's attached to a user and show a message that they must delete the user instead, which would stop any cases where the result would impact a user.

Jan 30 '24 06:01 garethbowen

Deleting the linked hierarchy person doesn't log the user out, enabling continued work capture, as shown in the screenshots. Notably, a deleted user can't create new app forms, but contact forms can be captured, causing confusion for both the user and the support team. The deleted CHW's name disappears from previously captured reports. After logging out, the CHW can still log back in using their original credentials despite lacking a linked hierarchy person.