Potential Security Issue: Local study managers can edit any subject's information
I have a potential issue where I'm not sure if I'm just using Castellum wrong or if I found a (potentially severe) security problem. We are currently on Castellum 0.87.0.
We found that all users, who are "Study manager" locally within a study (Study->Details->Member management) have the ability to edit sensitive data of all subjects. All they have to do is make themselves local subject manager in member management if they aren't already, and then add the subject they want to edit to their own study.
Background:
We have users who own studies and are responsible for the experiments, recruitment, etc (study owners). They therefore need the permission to modify their own study and e.g. send out recruitment emails, add sessions, add other users as collaborators, add subjects, etc. In order for those users to do that, in "member management", I have to give them the role "Study Manager" and probably also "Subject manager" for that study. This has two implications:
- they can give themselves local subject manager permissions if they don't have that already
- with "Subject manager" role within their study, they can edit any subjects' contact details such as name, DOB, recruitment attributes, recruitment consent, etc. So lots of things only a real subject manager should have access to. All they have to do is add a subject to their study and modify it via Studies->Execution->update data.
Is there any way to give a user permission to manage their own study without making them a de-facto subject manager? We consider subject manager a highly sensitive role and cannot give it to all study owners.
I'm happy to answer any questions you might have about our specific situation.
Best, Dario
Edit: I updated the text to make more clear what the issue is.