Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

User can navigate to screens they are not authorized to view

Description

I noticed an issue when I was executing OLMIS-2389. The user who should only see "Home" on the navigation bar sees also "Requisitions", and can navigate to the "Approve" and "View" screens. The user should see only "Home", even though he has the Program Supervisor role for Family Planning because he has no home facility. What's interesting, the user sees requisitions for ARV and Lilongwe Health Center on the "View Requisitions" screen. The issue occurs on both browsers, and clearing cache doesn't fix it.

Reproduction steps:

  1. Create a user without a home facility.

  2. Assign the Program Supervisor for Family Planning supervision role to the user without Supervisory Node set.

  3. Log into the application as the user.

  4. The user sees not only "Home" on the navigation bar, but also "Requisitions".

Expected results:

  • Users without home facility should only see the "Home" option on the navigation bar, despite having supervision roles assigned.

Dev notes:

  • Pay special attention to what happens during the log-in for the user and clean up stuff there.

 

Environment

None

Attachments

6
  • 02 Dec 2019, 12:50 PM
  • 02 Dec 2019, 12:48 PM
  • 02 Dec 2019, 12:48 PM
  • 24 Sep 2019, 09:11 AM
  • 24 Sep 2019, 09:11 AM
  • 24 Sep 2019, 09:11 AM

Confluence content

mentioned on

Activity

Show:

Joanna Bebak December 5, 2019 at 10:23 AM

I made a re-test, and now everything works correctly. The call to permission strings is still made twice, I also noticed another issue but since it occurs also on demo-v3, I'll create separate tickets for these issues.

Paweł Pinker December 2, 2019 at 3:37 PM
Edited

OK. I will look into the Lilongwe issue. As for the double permission Strings issue, I think that existed for quite some time and it’s not something caused now. At least it’s present at demo-v3 server. I’ll try to get fixed too, though.

Joanna Bebak December 2, 2019 at 12:48 PM
Edited

I tested the ticket and it seems that not everything is fixed, unfortunately. Now when the user doesn't have a home facility, everything works correctly. But when I set the home facility (I used Comfort Health Clinic), I can also see Lilongwe Health Center in the "Facility" select on the "View Requisitions" screen. What's interesting, when I search for requisitions for Lilongwe, they are not found, even though there are some created for this facility. Finally, now the permission strings are fetched twice upon login by every user, which shouldn't be the case. Please look at the attached screenshots.

Joanna Bebak October 2, 2019 at 7:40 AM

I was able to reproduce the issue.

Joanna Szymańska September 24, 2019 at 1:52 PM

I verified that a user without a home facility can only navigate to Approve and View screens, but cannot see any requisitions, even recently authorized ones.
Also regardless of which program will be assigned to the role of Program Supervisor, there is always Lilongwe Health Center in Search on the View screen.

FYI

Done
Pinned fields
Click on the next to a field label to start pinning.

Assignee

Reporter

Labels

Story Points

Original estimate

Time tracking

2w 1h 30m logged

Components

Sprint

Fix versions

Priority

Parent

Created September 24, 2019 at 9:12 AM
Updated November 18, 2020 at 4:34 PM
Resolved December 5, 2019 at 10:23 AM

Flag notifications