While basic access controls currently appear to work as intended for non-admin users there are some improvements to be made. For basic users any protocol created is assigned that user as owner and any time a user requests a list of protocols they receive all of the protocols that are marked with that user as owner.
This intended behavior currently breaks down for admin users and admins receive the protocols for every user. This is likely due to some configuration flaw with our use of django-oso. Admins by default appear to have access to all protocols regardless of owner field. While this kind of behavior could one day be considered as an option for admins... right now the frontend is not built to handle receiving all protocols for all users.
The incremental step forward here would be to ensure admins only receive the protocols for which they are specifically listed as owners.
While basic access controls currently appear to work as intended for non-admin users there are some improvements to be made. For basic users any protocol created is assigned that user as owner and any time a user requests a list of protocols they receive all of the protocols that are marked with that user as owner.
This intended behavior currently breaks down for admin users and admins receive the protocols for every user. This is likely due to some configuration flaw with our use of django-oso. Admins by default appear to have access to all protocols regardless of owner field. While this kind of behavior could one day be considered as an option for admins... right now the frontend is not built to handle receiving all protocols for all users.
The incremental step forward here would be to ensure admins only receive the protocols for which they are specifically listed as owners.