From a UX perspective it is bad to display links to pages that a user can not access.
From a security perspective the link already contains sensitive information: The slug is a global unique identifier for a subject.
Note that this is part of the contact form, so the
and therefore the
view_contact permission is somewhat implied.
However, users might only have that permission in the scope of the
study, i.e. only for subjects who directly participate in that study.
That does not include guardians.
I believe the proper fix would be to allow study-local subject managers to also update guardian data (see #131 (closed)). That is a much more complicated issue though.