We are getting an error 500 when attempting to sync as a supervisor.
Console error message:
Denied replicating to remote server
{id: '23376ad7-e2d2-44d6-85d2-baad7ceda3b7', error: 'forbidden', name: 'forbidden', status: 500}
Note:
23376ad7-e2d2-44d6-85d2-baad7ceda3b7 is the UUID of a document of type additional_doc (created within another workflow). We are noticing this only when replicating additional_docs generated by our muting approval and death request approval workflows.
This is happening in a test instance, which is a clone of one of our production instances (v3.7). This test instance was upgraded to v3.13 after cloning. On prod the feature works fine as expected. We have noticed this issue across 2 different clones of prod. No issues reported from the cloning and upgrading process.
All the documents created before and after the additional_doc sync fine without issues. The additional_doc is not present in the medic database.
Offline users aren’t allowed to replicate any types of documents, for security reasons. The docs_by_replication_key view details which documents offline users would be allowed to CRUD (create/read/update/delete) - and additionally to that, replication depth rules apply.
A document of a custom type would most definitely be blocked from being created.
To be more specific, offline users are allowed to CRUD:
contact docs (docs of type contact, person, clinic, health_center, district_hospital) that are descendants of their user’s facility - limited by replication_depth
report docs (docs of type data_record) that are about descendants of their user’s facility - limited by replication_depth
their own task docs (docs of type task)
their own target docs (docs of type target)
can read forms, settings, main ddoc and some other admin type docs (branding, partners, translations, z-score etc)
Any other type of doc will be blocked from being replicated, being a read, creation, edit, or deletion.
This document is of type data_record , and replicates well in another instance. This is a sample of the same doc, in an instance that replicated it successfully
In this case, replication failed with denied means that the offline user doesn’t have access to see the linked patient document (fields.patient_id).
Can your supervisor see this patient document? Is it replicated on their device?
We discussed this some more on a call today and I just wanted to add the additional contact that this workflow functions properly on other instances with the same CHT version and replication depth configuration.
Some additional troubleshooting steps we are going to try:
Increase the replication depth and see if that resolves the issue (not an good actual resolution, but could help confirm what the problem is)
Verify that the behavior is the same for other users of the same workflow on the instance (and that this is not related somehow to just this one supervisor).
Yes, you can. While logged in as the supervisor, either:
Search for the document by name or patient_id in the UI
Navigate manually to the contact detail page by changing URL in the app
make a curl get request to the server to see the document and use the supervisor’s credentials
If you get a not found error, then this document is not available.
With a replication_depth of 1, the supervisor only sees their facility and the direct places and people under the facility. If this patient is not a direct child of the facility, then it’s expected to not be available for the user.
To bypass replication_depth, you can use needs_signoff.
Increasing replication depth to 2 increases the number of docs downloading during login exponentially (over 150k). We’ve not had a successful login yet.
@rmayore with that many documents, you could configure the report_depth to still be 1 while depth is still set to 2 and that would avoid having the supervisors need to sync all the data_record docs (but still allow them to access to the contacts).
That being said, I tested it locally and I believe @diana’s suggestion about setting needs_signoff to true in the muting_approved form should solve your problem (without needed to change the replication depth configuration at all…). Just having a needs_signoff field set to true in my report was enough to allow my test user to replicate a document associated with a patient_id that he did not have access to.
@jkuester setting depth to 2 and report_depth to 1 does somewhat reduce the number of docs to be downloaded to ~68K. This is a supervisor that downloads less that 10K docs in depth 1.
Also correct me if I’m wrong, but from this thread doesn’t need_signoff only replicate up a hierarchy? In our case we want to replicate an approval downwards in the manner Supervisor → CHW → patient