diff --git a/care/facility/api/serializers/bed.py b/care/facility/api/serializers/bed.py index 383c208862..ea8808785b 100644 --- a/care/facility/api/serializers/bed.py +++ b/care/facility/api/serializers/bed.py @@ -26,6 +26,7 @@ from care.facility.models.patient import PatientRegistration from care.facility.models.patient_base import BedTypeChoices from care.facility.models.patient_consultation import PatientConsultation +from care.users.models import User from care.utils.assetintegration.asset_classes import AssetClasses from care.utils.queryset.consultation import get_consultation_queryset from care.utils.queryset.facility import get_facility_queryset @@ -185,6 +186,9 @@ def validate(self, attrs): user = self.context["request"].user bed = attrs["bed"] + if user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + raise ValidationError("You do not have permission to perform this action") + facilities = get_facility_queryset(user) if not facilities.filter(id=bed.facility_id).exists(): raise ValidationError("You do not have access to this facility") diff --git a/care/facility/api/serializers/file_upload.py b/care/facility/api/serializers/file_upload.py index 9515885917..ecc43ed1d6 100644 --- a/care/facility/api/serializers/file_upload.py +++ b/care/facility/api/serializers/file_upload.py @@ -123,6 +123,14 @@ class Meta: ) write_only_fields = ("associating_id",) + def validate(self, attrs): + user = self.context["request"].user + if user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + raise serializers.ValidationError( + {"permission": "Only Nurses and above can upload files."} + ) + return super().validate(attrs) + def create(self, validated_data): user = self.context["request"].user internal_id = check_permissions( diff --git a/care/facility/api/serializers/patient_external_test.py b/care/facility/api/serializers/patient_external_test.py index 677c6b2e74..df7e67d9d4 100644 --- a/care/facility/api/serializers/patient_external_test.py +++ b/care/facility/api/serializers/patient_external_test.py @@ -8,7 +8,13 @@ LocalBodySerializer, WardSerializer, ) -from care.users.models import REVERSE_LOCAL_BODY_CHOICES, District, LocalBody, Ward +from care.users.models import ( + REVERSE_LOCAL_BODY_CHOICES, + District, + LocalBody, + User, + Ward, +) class PatientExternalTestSerializer(serializers.ModelSerializer): @@ -91,6 +97,14 @@ def validate_empty_values(self, data, *args, **kwargs): return super().validate_empty_values(data, *args, **kwargs) + def validate(self, attrs): + user = self.context["request"].user + if user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + raise ValidationError( + {"user": ["User is not allowed to perform this action"]} + ) + return super().validate(attrs) + def create(self, validated_data): if "srf_id" in validated_data: if PatientRegistration.objects.filter( @@ -117,6 +131,14 @@ class Meta: model = PatientExternalTest fields = ("address", "ward", "local_body", "patient_created") + def validate(self, attrs): + user = self.context["request"].user + if user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + raise ValidationError( + {"user": ["User is not allowed to perform this action"]} + ) + return super().validate(attrs) + def update(self, instance, validated_data): if "ward" in validated_data: validated_data["local_body"] = validated_data["ward"].local_body diff --git a/care/facility/api/serializers/patient_investigation.py b/care/facility/api/serializers/patient_investigation.py index bc209b1e68..5e111b1131 100644 --- a/care/facility/api/serializers/patient_investigation.py +++ b/care/facility/api/serializers/patient_investigation.py @@ -7,6 +7,7 @@ PatientInvestigation, PatientInvestigationGroup, ) +from care.users.models import User class PatientInvestigationGroupSerializer(serializers.ModelSerializer): @@ -59,6 +60,14 @@ class Meta: ) exclude = TIMESTAMP_FIELDS + ("external_id",) + def validate(self, attrs): + user = self.context["request"].user + if user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + raise serializers.ValidationError( + "You do not have permission to perform this action" + ) + return super().validate(attrs) + def update(self, instance, validated_data): if instance.consultation.discharge_date: raise serializers.ValidationError( @@ -82,6 +91,14 @@ class Meta: read_only_fields = TIMESTAMP_FIELDS exclude = TIMESTAMP_FIELDS + ("external_id",) + def validate(self, attrs): + user = self.context["request"].user + if user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + raise serializers.ValidationError( + "You do not have permission to perform this action" + ) + return super().validate(attrs) + class ValueSerializer(serializers.ModelSerializer): class Meta: diff --git a/care/facility/api/serializers/patient_sample.py b/care/facility/api/serializers/patient_sample.py index 2308dcac1b..f227ce731a 100644 --- a/care/facility/api/serializers/patient_sample.py +++ b/care/facility/api/serializers/patient_sample.py @@ -12,6 +12,7 @@ PatientSampleFlow, ) from care.users.api.serializers.user import UserBaseMinimumSerializer +from care.users.models import User from care.utils.serializer.external_id_field import ExternalIdSerializerField from config.serializers import ChoiceField @@ -103,7 +104,12 @@ class PatientSamplePatchSerializer(PatientSampleSerializer): notes = serializers.CharField(required=False) def update(self, instance, validated_data): - instance.last_edited_by = self.context["request"].user + user = self.context["request"].user + if user.user_type < User.TYPE_VALUE_MAP["Doctor"]: + raise ValidationError( + {"status": ["User is not allowed to update sample details"]} + ) + instance.last_edited_by = user try: is_completed = validated_data.get("result") in [1, 2] new_status = validated_data.get( diff --git a/care/facility/api/viewsets/notification.py b/care/facility/api/viewsets/notification.py index 05f42ff6e0..3281255a71 100644 --- a/care/facility/api/viewsets/notification.py +++ b/care/facility/api/viewsets/notification.py @@ -13,6 +13,7 @@ from care.facility.api.serializers.notification import NotificationSerializer from care.facility.models.notification import Notification +from care.users.models import User from care.utils.filters.choicefilter import CareChoiceFilter, inverse_choices from care.utils.notification_handler import NotificationGenerator from care.utils.queryset.facility import get_facility_queryset @@ -71,6 +72,10 @@ def notify(self, request, *args, **kwargs): raise ValidationError({"facility": "is required"}) if "message" not in request.data or request.data["message"] == "": raise ValidationError({"message": "is required"}) + if user.user_type < User.TYPE_VALUE_MAP["Doctor"] and request.data["facility"]: + raise ValidationError( + {"user": "You are not allowed to notify other hospitals"} + ) facilities = get_facility_queryset(user) facility = get_object_or_404( facilities.filter(external_id=request.data["facility"]) diff --git a/care/facility/api/viewsets/patient_investigation.py b/care/facility/api/viewsets/patient_investigation.py index f575a33fe2..d83fd8ebaa 100644 --- a/care/facility/api/viewsets/patient_investigation.py +++ b/care/facility/api/viewsets/patient_investigation.py @@ -82,7 +82,7 @@ class PatientInvestigationViewSet( pagination_class = InvestigationResultsSetPagination -class PatientInvestigationFilter(filters.FilterSet): +class PatientInvestigationSummaryFilter(filters.FilterSet): created_date = filters.DateFromToRangeFilter(field_name="created_date") modified_date = filters.DateFromToRangeFilter(field_name="modified_date") investigation = filters.CharFilter(field_name="investigation__external_id") @@ -102,7 +102,7 @@ class PatientInvestigationSummaryViewSet( queryset = InvestigationValue.objects.all() lookup_field = "external_id" permission_classes = (IsAuthenticated,) - filterset_class = PatientInvestigationFilter + filterset_class = PatientInvestigationSummaryFilter filter_backends = (filters.DjangoFilterBackend,) pagination_class = InvestigationSummaryResultsSetPagination SESSION_PER_PAGE = 5 @@ -124,16 +124,19 @@ def get_queryset(self): * self.SESSION_PER_PAGE ] ) - if not sessions.exists(): + if ( + not sessions.exists() + or self.request.user.user_type < User.TYPE_VALUE_MAP["Nurse"] + ): return self.queryset.none() queryset = queryset.filter(session_id__in=sessions.values("session_id")) if self.request.user.is_superuser: return queryset - elif self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]: + if self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]: return queryset.filter( consultation__patient__facility__state=self.request.user.state ) - elif self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]: + if self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]: return queryset.filter( consultation__patient__facility__district=self.request.user.district ) @@ -173,11 +176,11 @@ def get_queryset(self): ) if self.request.user.is_superuser: return queryset - elif self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]: + if self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]: return queryset.filter( consultation__patient__facility__state=self.request.user.state ) - elif self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]: + if self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]: return queryset.filter( consultation__patient__facility__district=self.request.user.district ) diff --git a/care/facility/models/daily_round.py b/care/facility/models/daily_round.py index 02ec70a5bd..a08a510a08 100644 --- a/care/facility/models/daily_round.py +++ b/care/facility/models/daily_round.py @@ -523,6 +523,8 @@ def has_write_permission(request): if "/analyse" not in request.get_full_path(): if request.user.user_type in READ_ONLY_USER_TYPES: return False + if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + return False return DailyRound.has_read_permission(request) @staticmethod @@ -579,6 +581,8 @@ def has_object_read_permission(self, request): def has_object_write_permission(self, request): if request.user.user_type in READ_ONLY_USER_TYPES: return False + if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + return False return ( request.user.is_superuser or ( diff --git a/care/facility/models/mixins/permissions/patient.py b/care/facility/models/mixins/permissions/patient.py index e828ecb4cf..354b7cc81d 100644 --- a/care/facility/models/mixins/permissions/patient.py +++ b/care/facility/models/mixins/permissions/patient.py @@ -13,7 +13,7 @@ def has_write_permission(request): return ( request.user.is_superuser or request.user.verified - and request.user.user_type >= User.TYPE_VALUE_MAP["Staff"] + and request.user.user_type >= User.TYPE_VALUE_MAP["Nurse"] ) def has_object_read_permission(self, request): @@ -54,6 +54,9 @@ def has_object_write_permission(self, request): return False if request.user.user_type in READ_ONLY_USER_TYPES: return False + if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + return False + doctor_allowed = False if self.last_consultation: doctor_allowed = request.user in ( @@ -95,6 +98,9 @@ def has_object_transfer_permission(self, request): return False if request.user.user_type in READ_ONLY_USER_TYPES: return False + if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + return False + new_facility = Facility.objects.filter( id=request.data.get("facility", None) ).first() @@ -111,7 +117,7 @@ def has_write_permission(request): return ( request.user.is_superuser or request.user.verified - and request.user.user_type >= User.TYPE_VALUE_MAP["Staff"] + and request.user.user_type >= User.TYPE_VALUE_MAP["Nurse"] ) def has_object_read_permission(self, request): @@ -141,6 +147,8 @@ def has_object_read_permission(self, request): def has_object_update_permission(self, request): if request.user.user_type in READ_ONLY_USER_TYPES: return False + if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + return False return ( request.user.is_superuser or ( diff --git a/care/facility/models/patient_sample.py b/care/facility/models/patient_sample.py index e967dac530..8482035e6a 100644 --- a/care/facility/models/patient_sample.py +++ b/care/facility/models/patient_sample.py @@ -157,7 +157,7 @@ def has_write_permission(request): return False return ( request.user.is_superuser - or request.user.user_type >= User.TYPE_VALUE_MAP["Staff"] + or request.user.user_type >= User.TYPE_VALUE_MAP["Nurse"] ) @staticmethod diff --git a/care/facility/models/shifting.py b/care/facility/models/shifting.py index 4b88925b60..2d6f92891f 100644 --- a/care/facility/models/shifting.py +++ b/care/facility/models/shifting.py @@ -154,6 +154,8 @@ class Meta: def has_write_permission(request): if request.user.user_type in READ_ONLY_USER_TYPES: return False + if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + return False return True @staticmethod @@ -166,6 +168,8 @@ def has_object_read_permission(self, request): def has_object_write_permission(self, request): if request.user.user_type in READ_ONLY_USER_TYPES: return False + if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + return False return True def has_object_transfer_permission(self, request): @@ -174,6 +178,8 @@ def has_object_transfer_permission(self, request): def has_object_update_permission(self, request): if request.user.user_type in READ_ONLY_USER_TYPES: return False + if request.user.user_type < User.TYPE_VALUE_MAP["Nurse"]: + return False return True