User privileges

Hello devs,

We have recently seen that the API endpoints do not limit the information that any user can

access right now. Even if an user would not normally have access to certain programs on certain orgUnits

right now this data can be accessed if the user knows about the API. This effect can also be seen through

the interface on the filter function of the “Data Entry” or “Event Capture”:

-Click on the green search icon

-Type a orgUnit for which the current user does not have access

-Click on the “Find” button

Now the restricted orgUnit will now appear on the tree and the user will be able to

use it normally. On the other side, if the user knows DHIS and knows how the API works he will be able

to access all the information without any kind of restriction since the endpoints give all the information.

To sum up, the only security filter DHIS now applies is at interface level.

Is this the intended behaviour of DHIS? Will the access to the information be restricted in the future somehow?

Eric

Hi Eric,

I tried to reproduce what you have reported on the demo site, but got this error.

Organisation unit is not in the hierarchy of the current user: O6uvpzGd5pu

I created a user called “test” with password “Password1” on https://play.dhis2.org/demo/ and assigned their data capture unit to Bombali. I was able to search for “Bo” and got the tree to appear, as you stated, but ONLY after having logged in as the admin user, which will cache this OU tree. I suspect thus, it is a caching problem. When I tried with an incognito mode browser, I was unable to see “Bo” at all.

For aggregate data, the “Data capture” orgunit should control the hierarchy which is seen in the data entry screen. Tracker orgunits must be assigned explicitly.

Could you provide a more detailed step-by-step of how you were able to enter data, while using incognito mode to exclude caching effects?

Regards,

Jason