Skip to content

Restrict subject search

Bengfort requested to merge restrict-subject-search into master

In !1274 (merged) we merged the 3 subject search views into one. Unfortunately, I glossed over some permission checks in the process. So in this I MR try to restore those:

  • Conductors are not allowed to find subjects who are not invited to one of their studies
  • Recruiters are not allowed to find subjects who are not requested for one of their studies
    • This is not completely true: Recruiters happen to have the view_contact permission which allows them to search for any subject. Replacing "Recruiter" by "User with change_participationrequest would be more accurate.
  • Receptionists bypass both study membership and privacy level checks in the search (but nowhere else).
    • Currently, the restriction is that the subject needs to be invited to a study that is currently in execution. We might restrict that further to subject who have an appointment in the near future. But that is a task for another day.
Edited by Hayat

Merge request reports