Restrict subject search
In !1274 (merged) we merged the 3 subject search views into one. Unfortunately, I glossed over some permission checks in the process. So in this I MR try to restore those:
- Conductors are not allowed to find subjects who are not invited to one of their studies
- Recruiters are not allowed to find subjects who are not requested for one of their studies
- This is not completely true: Recruiters happen to have the
view_contact
permission which allows them to search for any subject. Replacing "Recruiter" by "User withchange_participationrequest
would be more accurate.
- This is not completely true: Recruiters happen to have the
- Receptionists bypass both study membership and privacy level checks in the search (but nowhere else).
- Currently, the restriction is that the subject needs to be invited to a study that is currently in execution. We might restrict that further to subject who have an appointment in the near future. But that is a task for another day.