[feature request]Permission on Custom Fields [feature request]Permission on Custom Fields
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[feature request]Permission on Custom Fields

Started by chlee, October 30, 2003, 04:22:39 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

chlee

October 30, 2003, 04:22:39 PM
Is it possible to set permission on custom fields and hide them from unauthorized users. I need these fields to store patients' id and names (something might violet patients' privacy) and reserve it for search by power users only.

hyperion

#1
October 30, 2003, 05:21:52 PM
Is this on an intranet or internet?
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.mozilla.org%2Fproducts%2Ffirefox%2Fbuttons%2Fgetfirefox_small.png&hash=9f6d645801cbc882a52f0ee76cfeda02625fc537)

chlee

#2
October 30, 2003, 11:10:39 PM
It is on internet. We got several hospitals using the same image database.

Joachim Müller

#3
October 31, 2003, 05:17:33 AM
hm, I don't know where you're located and what laws apply in your country on confidential patient's data, but I doubt this would be a good idea, even if the custom fields where somehow protected. If you're using coppermine for this purpose only, I recommend "triple security" using
  • the built-in security of coppermine (album not visible to the public at all, no user registration, only admin can register new users)
  • password protection of the whole coppermine install by the webserver authentification tools (password protection with .htaccess)
  • transport on a more secure channel (https)[/list:u]GauGau

chlee

#4
November 01, 2003, 08:36:02 AM
Thanks for advice. Alreadly in https and set all albums to be private. Registeration by admin only.
I am setting up mod_auth_mysql and mod_perl for CPAN; also considering to use mod_access to limit IP access.

gtroll

#5
November 01, 2003, 09:27:31 AM
Who would get access to the names etc of the patients in the custom fields? It might be better to enter the "names and addresses" as a number, store that number as the key to another db that the public does not have access to, with the names and addresses.
You could then write an custom admin app that could query both db's for reports....

I dont think anything in the same db is foolproof, and not for Medical Privacy standards.

chlee

#6
November 01, 2003, 11:45:25 AM
Actually, there is no privacy information on it except the chart number (with slight transformation from original chart number) I want to hide in one custom field for these images. These images are teaching materials for our training fellow doctors, not for business usage.

However, I think gaugau is right, sometimes we might failed to erase all the id information on a chest film if the image provider is not careful enough. And we might get in trouble with such things. A more solid secuirity should be a better policy.
Print
Go Up Pages1
User actions