Hi!
We have recently found that it is possible for users entering data (Event without registration) in the field via the Android “DHIS2 Capture” app to be able to delete others users events that have been entered. We have checked permissions under “User role” and under “Tracker” heading, they only have access to “View event analytics” and nothing more.
We want the field staff to be able to capture records, edit their own entries (if needed), but NOT be able to delete entries from other users.
Is this possible? If so, I would appreciate any assistance or guidance.
Technical details:
Android app version 2.6.2
DHIS2 instance: 2.33.10
Thank you!
Hello @Terence_Scott
I am sorry you are finding this issue. Indeed it seems to be a security flaw somehow… However this problems seems to be coming from the backend ([DHIS2-8240] - Jira) and the issue cascades to Android. I will check with the Android team if something can be done locally but should be better addressed by the @tracker-backend . Could you please confirm that you can perform the same deletion on the web version? And maybe even comment or vote on the mentioned JIRA?
Best.
Hey @Terence_Scott . Sorry for the late reply. After some tests I made it seems that Android is following the backend in this sense and there is nothing we can do.
At one point I was even considering if we should include Android users deleting only their events but this would require an implementation which will brake the current model and therefore, the only viable solution (I see) it is impelmenting an authority in the backend.
I have pinged some specific people in the ticket so feel free to follow any further discussion there.
Cheers!
1 Like
Hi @jaime.bosque
Thank you very much for the updates. I am currently following the conversation on Jira and hope that this issue can be resolved, as it is a major challenge in the work that we do. The field data collection teams unfortunately delete some of the local data as in many instances they are concerned about “filling their phones” with data (obviously not the case, but this comes from them not understanding the limited data needs of the app). Therefore, they risk jeopardizing other data collected by accidentally deleting other users’ data.
Thank you again for the follow-up.
1 Like
Hi @Terence_Scott .
I see your point. Although might not be a workaround for you, but have you considered using the Android Settings Web App to limit drastically the amount of data downloaded on their phones? Doing this would be like only seeing their input and not any others’ events.
1 Like
Thanks @jaime.bosque - yes, this is certainly a good point and we will do so! Thanks!
2 Likes