Skip to content

check permission before displaying link to subject detail in guardian item

Bengfort requested to merge fix-guardian-slug-perm-check into main

From a UX perspective it is bad to display links to pages that a user can not access.

From a security perspective the link already contains sensitive information: The slug is a global unique identifier for a subject.

Note that this is part of the contact form, so the change_contact and therefore the view_contact permission is somewhat implied. However, users might only have that permission in the scope of the study, i.e. only for subjects who directly participate in that study. That does not include guardians.

I believe the proper fix would be to allow study-local subject managers to also update guardian data (see #131 (closed)). That is a much more complicated issue though.

Edited by Bengfort

Merge request reports