Restrict subject search (!1373) · Merge requests · castellum / castellum

Bengfort requested to merge restrict-subject-search into master May 12, 2020

In !1274 (merged) we merged the 3 subject search views into one. Unfortunately, I glossed over some permission checks in the process. So in this I MR try to restore those:

Conductors are not allowed to find subjects who are not invited to one of their studies
Recruiters are not allowed to find subjects who are not requested for one of their studies
- This is not completely true: Recruiters happen to have the view_contact permission which allows them to search for any subject. Replacing "Recruiter" by "User with change_participationrequest would be more accurate.
Receptionists bypass both study membership and privacy level checks in the search (but nowhere else).
- Currently, the restriction is that the subject needs to be invited to a study that is currently in execution. We might restrict that further to subject who have an appointment in the near future. But that is a task for another day.

Edited May 13, 2020 by Hayat

Restrict subject search

Merge request reports