While trying to reproduce the issue on play, I encountered issues accessing the instances so I needed to test on a local instance instead.
I’m wondering what are the tracker authorities does the role provided for these users have? Does it have the authority to ‘update tracked entities’? If so I think this is the reason why they’re able to update the profiles:
I’m still investigating the issue as well, but would love to hear from you about my question. Thanks!
I’m testing a couple of scenarios with different access rights, so let me put them here:
First scenario, user has the right “can capture and view” data in the tracker program but doesn’t have the ‘update tracked entities’ authority nor the edit TEI (can view only), result: user can’t view the program listed in the Capture app. However, in the Tracker Capture app, the user is able to view the TEIs as well as the program and is not able to edit the TEIs attribute; additionally, the user is not able to register and enroll new TEIs.
Second scenario, same as first scenario but adding the ‘update tracked entities’ authority - no changes seem to take affect.
Third scenario, same as first scenario but changing the sharing setting of the program to ‘view only’ - no changes seem to take affect.
Fourth scenario, same as third scenario but changing the TEI sharing setting to ‘can capture and view’ so now the user is able to edit the TE attributes but not enroll TEI in the program (in Tracker Capture app and Capture app).
Fifth scenario, same as fourth but changed the TE attribute sharing setting for the user to view only; however, this didn’t change the result of the fourth scenario as the user is still able to edit the TE attribute but not enroll TEI in the program (Tracker Capture app and Capture app).
Sixth scenario, user given the ‘can capture and view’ to both the TEI type and the program, result: only when both sharing settings (TEI type and tracker program) are “capture and view” is the user able to enroll TEIs to the program which means that there is no way to allow the user to enroll TEIs but be stopped from changing their attributes but there is the option to allow the user to edit the attributes and not be able to enroll.