I am exploring the acl system with a goal of adding specific acls for calendar and patient list views. I changed the acl for the Accounting group, and created a user in that group. Specifically, I removed patient acl from write and added patient/appointments to read only and set it to deny.
add_edit_events does block that user from adding an appointment, but upon login the calendar by default shows all users. Should there be an acl check in the calendar index also or is this something else I don’t yet understand about the acl system? Should this be an additional acl and then a check placed in the calendar index?
I am using the easy development build using the flex image
In this post, I am trying to deny access to see appointments for a group.
long term goal: Limit providers to assigned patients for demographics and appointments. I will create appointments-logged in user only and demographics-logged in user only ACLs and make the necessary changes in code. I have identified most of these locations, but I was making sure that I understand the ACL system as it is first. Once I have it working I would contribute these to the codebase.
Thank you Brady and the community for all the support and hard work.
