Person pages of persons outside the user's jurisdiction are editable

[adinaflorea9]

Problem Description

Person pages are editable when the person and its associated entities are not within the user's jurisdiction, or created by that user.

Additionally, the cards on the side of the person page are editable as well, and the user can create new entities for a person that is not within their jurisdiction (this is not possible for instance if the user goes through the regular entity creation forms from each directory and uses the person search option).

The behavior was observed while testing for ticket #6053 but I could not determine exactly what caused it as ticket #10992 also mentions the person pages and when they should be editable or not.

Steps to Reproduce

1. Log in with an Admin+NatUser and create a new case (and person) and set the jurisdiction of both of them in:
   
   

2. Then copy the URL of the person created at step 1;

3. Log in the app with a user that has the same user rights but that is restricted by jurisdiction (e.g. Region - Berlin);

4. Paste the link copied and observe the person page.

Actual Behavior

The person page is editable and the user can create new entities for that person. When navigating to the case associated with that person (created at step 1) it can be observed that the case is editable since it is not within this user's jurisdiction.

Expected Behavior

The person page and the associated cards should not be editable if the user does not have edit access to any non-deleted entity that is connected to this person (the information on the cards should be visible and the user should be able to open the associated entities, but the creation buttons on the cards should either not be visible or should not be clickable).

@MateStrysewske perhaps you would be able to provide some insight into what the expected behavior here should be.

Screenshots

GIF of the behavior:

System Details

• Device: Windows 10
• SORMAS version: 1.78.0
• Android version/Browser: Chrome
• Server URL: local machine
• User Role: Admin+NatUser; Admin+NatUser configured to be restricted to a certain region

Additional Information

[MateStrysewske]

@adinaflorea9 I've updated the expected behaviour as indeed I agree that the person page should not be editable under these circumstances. However, I guess that this never worked because I believe we need quite a bit of new logic in order to determine that - so I'll convert this to a change request.