openmrs / openmrs-core / 27768587422

64%

master: 65%

Build Type

push

github

Committed by web-flow

Commit Message

Require Get Alerts privilege to read all users' alerts (#6206)

Backport of #6186 to 2.9.x.

AlertService.getAllAlerts() and getAllAlerts(boolean) return every user's
alerts but were guarded only by @Authorized (authentication), so any
authenticated user could read alerts addressed to others. Introduce a
dedicated Get Alerts privilege (GET_* read-privilege convention) and gate both
methods with it. The per-user reads (getAlert, getAlerts, getAlertsByUser,
getAllActiveAlerts) stay open for a caller reading their own alerts; reading
another user's alerts through them now requires Get Alerts. getAlert(Integer)
returns null (rather than throwing) for another user's alert, the same as for
an unknown id, so it cannot be used as an existence oracle.

The privilege is created on startup via @AddOnStartup / checkCoreDataset() and
is not auto-granted to any role, so it does not reintroduce the leak. The
scheduled AlertReminderTask grants itself a proxy Get Alerts privilege around
its read of all alerts.


Claude-Session: https://claude.ai/code/session_01GswaapaA8WAbd7V7dv3yxW

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Coverage Stats

10 of 13 new or added lines in 2 files covered. (76.92%)

4 existing lines in 2 files now uncovered.

23940 of 37566 relevant lines covered (63.73%)

0.64 hits per line