fix: updated user permission

care/facility/api/serializers/bed.py

@@ -26,6 +26,7 @@
 from care.facility.models.patient import PatientRegistration
 from care.facility.models.patient_base import BedTypeChoices
 from care.facility.models.patient_consultation import PatientConsultation
+from care.users.models import User
 from care.utils.assetintegration.asset_classes import AssetClasses
 from care.utils.queryset.consultation import get_consultation_queryset
 from care.utils.queryset.facility import get_facility_queryset
@@ -185,6 +186,9 @@ def validate(self, attrs):
         user = self.context["request"].user
         bed = attrs["bed"]
 
+        if user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            raise ValidationError("You do not have permission to perform this action")
+
         facilities = get_facility_queryset(user)
         if not facilities.filter(id=bed.facility_id).exists():
             raise ValidationError("You do not have access to this facility")

care/facility/api/serializers/file_upload.py

@@ -123,6 +123,14 @@ class Meta:
         )
         write_only_fields = ("associating_id",)
 
+    def validate(self, attrs):
+        user = self.context["request"].user
+        if user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            raise serializers.ValidationError(
+                {"permission": "Only Nurses and above can upload files."}
+            )
+        return super().validate(attrs)
+
     def create(self, validated_data):
         user = self.context["request"].user
         internal_id = check_permissions(

care/facility/api/serializers/patient_external_test.py

@@ -8,7 +8,13 @@
     LocalBodySerializer,
     WardSerializer,
 )
-from care.users.models import REVERSE_LOCAL_BODY_CHOICES, District, LocalBody, Ward
+from care.users.models import (
+    REVERSE_LOCAL_BODY_CHOICES,
+    District,
+    LocalBody,
+    User,
+    Ward,
+)
 
 
 class PatientExternalTestSerializer(serializers.ModelSerializer):
@@ -91,6 +97,14 @@ def validate_empty_values(self, data, *args, **kwargs):
 
         return super().validate_empty_values(data, *args, **kwargs)
 
+    def validate(self, attrs):
+        user = self.context["request"].user
+        if user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            raise ValidationError(
+                {"user": ["User is not allowed to perform this action"]}
+            )
+        return super().validate(attrs)
+
     def create(self, validated_data):
         if "srf_id" in validated_data:
             if PatientRegistration.objects.filter(
@@ -117,6 +131,14 @@ class Meta:
         model = PatientExternalTest
         fields = ("address", "ward", "local_body", "patient_created")
 
+    def validate(self, attrs):
+        user = self.context["request"].user
+        if user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            raise ValidationError(
+                {"user": ["User is not allowed to perform this action"]}
+            )
+        return super().validate(attrs)
+
     def update(self, instance, validated_data):
         if "ward" in validated_data:
             validated_data["local_body"] = validated_data["ward"].local_body

care/facility/api/serializers/patient_investigation.py

@@ -7,6 +7,7 @@
     PatientInvestigation,
     PatientInvestigationGroup,
 )
+from care.users.models import User
 
 
 class PatientInvestigationGroupSerializer(serializers.ModelSerializer):
@@ -59,6 +60,14 @@ class Meta:
         )
         exclude = TIMESTAMP_FIELDS + ("external_id",)
 
+    def validate(self, attrs):
+        user = self.context["request"].user
+        if user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            raise serializers.ValidationError(
+                "You do not have permission to perform this action"
+            )
+        return super().validate(attrs)
+
     def update(self, instance, validated_data):
         if instance.consultation.discharge_date:
             raise serializers.ValidationError(
@@ -82,6 +91,14 @@ class Meta:
         read_only_fields = TIMESTAMP_FIELDS
         exclude = TIMESTAMP_FIELDS + ("external_id",)
 
+    def validate(self, attrs):
+        user = self.context["request"].user
+        if user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            raise serializers.ValidationError(
+                "You do not have permission to perform this action"
+            )
+        return super().validate(attrs)
+
 
 class ValueSerializer(serializers.ModelSerializer):
     class Meta:

care/facility/api/serializers/patient_sample.py

@@ -12,6 +12,7 @@
     PatientSampleFlow,
 )
 from care.users.api.serializers.user import UserBaseMinimumSerializer
+from care.users.models import User
 from care.utils.serializer.external_id_field import ExternalIdSerializerField
 from config.serializers import ChoiceField
 
@@ -103,7 +104,12 @@ class PatientSamplePatchSerializer(PatientSampleSerializer):
     notes = serializers.CharField(required=False)
 
     def update(self, instance, validated_data):
-        instance.last_edited_by = self.context["request"].user
+        user = self.context["request"].user
+        if user.user_type < User.TYPE_VALUE_MAP["Doctor"]:
+            raise ValidationError(
+                {"status": ["User is not allowed to update sample details"]}
+            )
+        instance.last_edited_by = user
         try:
             is_completed = validated_data.get("result") in [1, 2]
             new_status = validated_data.get(

care/facility/api/viewsets/notification.py

@@ -13,6 +13,7 @@
 
 from care.facility.api.serializers.notification import NotificationSerializer
 from care.facility.models.notification import Notification
+from care.users.models import User
 from care.utils.filters.choicefilter import CareChoiceFilter, inverse_choices
 from care.utils.notification_handler import NotificationGenerator
 from care.utils.queryset.facility import get_facility_queryset
@@ -71,6 +72,10 @@ def notify(self, request, *args, **kwargs):
             raise ValidationError({"facility": "is required"})
         if "message" not in request.data or request.data["message"] == "":
             raise ValidationError({"message": "is required"})
+        if user.user_type < User.TYPE_VALUE_MAP["Doctor"] and request.data["facility"]:
+            raise ValidationError(
+                {"user": "You are not allowed to notify other hospitals"}
+            )
         facilities = get_facility_queryset(user)
         facility = get_object_or_404(
             facilities.filter(external_id=request.data["facility"])

care/facility/api/viewsets/patient_investigation.py

@@ -82,7 +82,7 @@ class PatientInvestigationViewSet(
     pagination_class = InvestigationResultsSetPagination
 
 
-class PatientInvestigationFilter(filters.FilterSet):
+class PatientInvestigationSummaryFilter(filters.FilterSet):
     created_date = filters.DateFromToRangeFilter(field_name="created_date")
     modified_date = filters.DateFromToRangeFilter(field_name="modified_date")
     investigation = filters.CharFilter(field_name="investigation__external_id")
@@ -102,7 +102,7 @@ class PatientInvestigationSummaryViewSet(
     queryset = InvestigationValue.objects.all()
     lookup_field = "external_id"
     permission_classes = (IsAuthenticated,)
-    filterset_class = PatientInvestigationFilter
+    filterset_class = PatientInvestigationSummaryFilter
     filter_backends = (filters.DjangoFilterBackend,)
     pagination_class = InvestigationSummaryResultsSetPagination
     SESSION_PER_PAGE = 5
@@ -124,16 +124,19 @@ def get_queryset(self):
                 * self.SESSION_PER_PAGE
             ]
         )
-        if not sessions.exists():
+        if (
+            not sessions.exists()
+            or self.request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]
+        ):
             return self.queryset.none()
         queryset = queryset.filter(session_id__in=sessions.values("session_id"))
         if self.request.user.is_superuser:
             return queryset
-        elif self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]:
+        if self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]:
             return queryset.filter(
                 consultation__patient__facility__state=self.request.user.state
             )
-        elif self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]:
+        if self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]:
             return queryset.filter(
                 consultation__patient__facility__district=self.request.user.district
             )
@@ -173,11 +176,11 @@ def get_queryset(self):
         )
         if self.request.user.is_superuser:
             return queryset
-        elif self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]:
+        if self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]:
             return queryset.filter(
                 consultation__patient__facility__state=self.request.user.state
             )
-        elif self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]:
+        if self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]:
             return queryset.filter(
                 consultation__patient__facility__district=self.request.user.district
             )

care/facility/models/daily_round.py

@@ -523,6 +523,8 @@ def has_write_permission(request):
         if "/analyse" not in request.get_full_path():
             if request.user.user_type in READ_ONLY_USER_TYPES:
                 return False
+            if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+                return False
         return DailyRound.has_read_permission(request)
 
     @staticmethod
@@ -579,6 +581,8 @@ def has_object_read_permission(self, request):
     def has_object_write_permission(self, request):
         if request.user.user_type in READ_ONLY_USER_TYPES:
             return False
+        if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            return False
         return (
             request.user.is_superuser
             or (

care/facility/models/mixins/permissions/patient.py

@@ -13,7 +13,7 @@ def has_write_permission(request):
         return (
             request.user.is_superuser
             or request.user.verified
-            and request.user.user_type >= User.TYPE_VALUE_MAP["Staff"]
+            and request.user.user_type >= User.TYPE_VALUE_MAP["Nurse"]
         )
 
     def has_object_read_permission(self, request):
@@ -54,6 +54,9 @@ def has_object_write_permission(self, request):
             return False
         if request.user.user_type in READ_ONLY_USER_TYPES:
             return False
+        if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            return False
+
         doctor_allowed = False
         if self.last_consultation:
             doctor_allowed = request.user in (
@@ -95,6 +98,9 @@ def has_object_transfer_permission(self, request):
             return False
         if request.user.user_type in READ_ONLY_USER_TYPES:
             return False
+        if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            return False
+
         new_facility = Facility.objects.filter(
             id=request.data.get("facility", None)
         ).first()
@@ -111,7 +117,7 @@ def has_write_permission(request):
         return (
             request.user.is_superuser
             or request.user.verified
-            and request.user.user_type >= User.TYPE_VALUE_MAP["Staff"]
+            and request.user.user_type >= User.TYPE_VALUE_MAP["Nurse"]
         )
 
     def has_object_read_permission(self, request):
@@ -141,6 +147,8 @@ def has_object_read_permission(self, request):
     def has_object_update_permission(self, request):
         if request.user.user_type in READ_ONLY_USER_TYPES:
             return False
+        if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            return False
         return (
             request.user.is_superuser
             or (

care/facility/models/patient_sample.py

@@ -157,7 +157,7 @@ def has_write_permission(request):
             return False
         return (
             request.user.is_superuser
-            or request.user.user_type >= User.TYPE_VALUE_MAP["Staff"]
+            or request.user.user_type >= User.TYPE_VALUE_MAP["Nurse"]
         )
 
     @staticmethod

care/facility/models/shifting.py

@@ -154,6 +154,8 @@ class Meta:
     def has_write_permission(request):
         if request.user.user_type in READ_ONLY_USER_TYPES:
             return False
+        if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            return False
         return True
 
     @staticmethod
@@ -166,6 +168,8 @@ def has_object_read_permission(self, request):
     def has_object_write_permission(self, request):
         if request.user.user_type in READ_ONLY_USER_TYPES:
             return False
+        if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            return False
         return True
 
     def has_object_transfer_permission(self, request):
@@ -174,6 +178,8 @@ def has_object_transfer_permission(self, request):
     def has_object_update_permission(self, request):
         if request.user.user_type in READ_ONLY_USER_TYPES:
             return False
+        if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]:
+            return False
         return True