Adds authz for Prescription & Medicine Administrations (#1704)

* Adds authz for Prescription & MAR fixes #1695 * adds missing `DRYPermissions` in viewsets * fix missing object write permission --------- Co-authored-by: Vignesh Hari <vichuhari100@gmail.com> Co-authored-by: Aakash Singh <mail@singhaakash.dev>
ohcnetwork · Mar 5, 2024 · 8e7a5bb · 8e7a5bb
1 parent aba0849
commit 8e7a5bb
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/care/facility/api/viewsets/prescription.py b/care/facility/api/viewsets/prescription.py
@@ -2,6 +2,7 @@
 from django.utils import timezone
 from django_filters import rest_framework as filters
 from drf_spectacular.utils import extend_schema
+from dry_rest_permissions.generics import DRYPermissions
 from redis_om import FindQuery
 from rest_framework import mixins, status
 from rest_framework.decorators import action
@@ -50,7 +51,7 @@ class MedicineAdministrationViewSet(
     mixins.ListModelMixin, mixins.RetrieveModelMixin, GenericViewSet
 ):
     serializer_class = MedicineAdministrationSerializer
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, DRYPermissions)
     queryset = MedicineAdministration.objects.all().order_by("-created_date")
     lookup_field = "external_id"
     filter_backends = (filters.DjangoFilterBackend,)
@@ -94,7 +95,7 @@ class ConsultationPrescriptionViewSet(
     GenericViewSet,
 ):
     serializer_class = PrescriptionSerializer
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, DRYPermissions)
     queryset = Prescription.objects.all().order_by("-created_date")
     lookup_field = "external_id"
     filter_backends = (filters.DjangoFilterBackend,)

diff --git a/care/facility/models/prescription.py b/care/facility/models/prescription.py
@@ -5,6 +5,9 @@
 from django.db.models import JSONField
 from django.utils import timezone
 
+from care.facility.models.mixins.permissions.patient import (
+    ConsultationRelatedPermissionMixin,
+)
 from care.facility.models.patient_consultation import PatientConsultation
 from care.utils.models.base import BaseModel
 from care.utils.models.validators import dosage_validator
@@ -73,7 +76,7 @@ def __str__(self):
         return " - ".join(filter(None, [self.name, self.generic, self.company]))
 
 
-class Prescription(BaseModel):
+class Prescription(BaseModel, ConsultationRelatedPermissionMixin):
     consultation = models.ForeignKey(
         PatientConsultation,
         on_delete=models.PROTECT,
@@ -148,11 +151,14 @@ def save(self, *args, **kwargs) -> None:
     def medicine_name(self):
         return str(self.medicine) if self.medicine else self.medicine_old
 
+    def has_object_write_permission(self, request):
+        return ConsultationRelatedPermissionMixin.has_write_permission(request)
+
     def __str__(self):
         return self.medicine + " - " + self.consultation.patient.name
 
 
-class MedicineAdministration(BaseModel):
+class MedicineAdministration(BaseModel, ConsultationRelatedPermissionMixin):
     prescription = models.ForeignKey(
         Prescription,
         on_delete=models.PROTECT,
@@ -181,6 +187,12 @@ def __str__(self):
             + self.prescription.consultation.patient.name
         )
 
+    def get_related_consultation(self):
+        return self.prescription.consultation
+
+    def has_object_write_permission(self, request):
+        return ConsultationRelatedPermissionMixin.has_write_permission(request)
+
     def validate(self) -> None:
         if self.prescription.discontinued:
             raise ValidationError(