From 8e7a5bb66650c36dab5b50664f3dcb2ffc6ba6bb Mon Sep 17 00:00:00 2001 From: Rithvik Nishad Date: Tue, 5 Mar 2024 18:05:48 +0530 Subject: [PATCH] Adds authz for Prescription & Medicine Administrations (#1704) * Adds authz for Prescription & MAR fixes #1695 * adds missing `DRYPermissions` in viewsets * fix missing object write permission --------- Co-authored-by: Vignesh Hari Co-authored-by: Aakash Singh --- care/facility/api/viewsets/prescription.py | 5 +++-- care/facility/models/prescription.py | 16 ++++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/care/facility/api/viewsets/prescription.py b/care/facility/api/viewsets/prescription.py index e31359ac85..779287ef7d 100644 --- a/care/facility/api/viewsets/prescription.py +++ b/care/facility/api/viewsets/prescription.py @@ -2,6 +2,7 @@ from django.utils import timezone from django_filters import rest_framework as filters from drf_spectacular.utils import extend_schema +from dry_rest_permissions.generics import DRYPermissions from redis_om import FindQuery from rest_framework import mixins, status from rest_framework.decorators import action @@ -50,7 +51,7 @@ class MedicineAdministrationViewSet( mixins.ListModelMixin, mixins.RetrieveModelMixin, GenericViewSet ): serializer_class = MedicineAdministrationSerializer - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, DRYPermissions) queryset = MedicineAdministration.objects.all().order_by("-created_date") lookup_field = "external_id" filter_backends = (filters.DjangoFilterBackend,) @@ -94,7 +95,7 @@ class ConsultationPrescriptionViewSet( GenericViewSet, ): serializer_class = PrescriptionSerializer - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, DRYPermissions) queryset = Prescription.objects.all().order_by("-created_date") lookup_field = "external_id" filter_backends = (filters.DjangoFilterBackend,) diff --git a/care/facility/models/prescription.py b/care/facility/models/prescription.py index d7f70521a1..5c34ab0e18 100644 --- a/care/facility/models/prescription.py +++ b/care/facility/models/prescription.py @@ -5,6 +5,9 @@ from django.db.models import JSONField from django.utils import timezone +from care.facility.models.mixins.permissions.patient import ( + ConsultationRelatedPermissionMixin, +) from care.facility.models.patient_consultation import PatientConsultation from care.utils.models.base import BaseModel from care.utils.models.validators import dosage_validator @@ -73,7 +76,7 @@ def __str__(self): return " - ".join(filter(None, [self.name, self.generic, self.company])) -class Prescription(BaseModel): +class Prescription(BaseModel, ConsultationRelatedPermissionMixin): consultation = models.ForeignKey( PatientConsultation, on_delete=models.PROTECT, @@ -148,11 +151,14 @@ def save(self, *args, **kwargs) -> None: def medicine_name(self): return str(self.medicine) if self.medicine else self.medicine_old + def has_object_write_permission(self, request): + return ConsultationRelatedPermissionMixin.has_write_permission(request) + def __str__(self): return self.medicine + " - " + self.consultation.patient.name -class MedicineAdministration(BaseModel): +class MedicineAdministration(BaseModel, ConsultationRelatedPermissionMixin): prescription = models.ForeignKey( Prescription, on_delete=models.PROTECT, @@ -181,6 +187,12 @@ def __str__(self): + self.prescription.consultation.patient.name ) + def get_related_consultation(self): + return self.prescription.consultation + + def has_object_write_permission(self, request): + return ConsultationRelatedPermissionMixin.has_write_permission(request) + def validate(self) -> None: if self.prescription.discontinued: raise ValidationError(