Hello devs,
We have recently seen that the API endpoints do not limit the information that any user can access right now. Even if an user would not normally have access to certain programs on certain orgUnits right now this data can be accessed if the user knows about the API. This effect can also be seen through the interface on the filter function of the "Data Entry" or "Event Capture": -Click on the green search icon -Type a orgUnit for which the current user does not have access -Click on the "Find" button Now the restricted orgUnit will now appear on the tree and the user will be able to use it normally. On the other side, if the user knows DHIS and knows how the API works he will be able to access all the information without any kind of restriction since the endpoints give all the information. To sum up, the only security filter DHIS now applies is at interface level. Is this the intended behaviour of DHIS? Will the access to the information be restricted in the future somehow? Eric
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
