Add nurse user type

care/facility/api/viewsets/bed.py

@@ -59,6 +59,20 @@
     search_fields = ["name"]
     filterset_class = BedFilter
 
+    def get_queryset(self):
+        user = self.request.user
+        queryset = self.queryset
+        if user.is_superuser:
+            pass
+        elif user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]:
+            queryset = queryset.filter(facility__state=user.state)
+        elif user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]:
+            queryset = queryset.filter(facility__district=user.district)
+        else:
+            allowed_facilities = get_accessible_facilities(user)
+            queryset = queryset.filter(facility__id__in=allowed_facilities)
+        return queryset
+
     def create(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
@@ -83,20 +97,6 @@
             serializer.data, status=status.HTTP_201_CREATED, headers=headers
         )
 
-    def get_queryset(self):
-        user = self.request.user
-        queryset = self.queryset
-        if user.is_superuser:
-            pass
-        elif user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]:
-            queryset = queryset.filter(facility__state=user.state)
-        elif user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]:
-            queryset = queryset.filter(facility__district=user.district)
-        else:
-            allowed_facilities = get_accessible_facilities(user)
-            queryset = queryset.filter(facility__id__in=allowed_facilities)
-        return queryset
-
     def destroy(self, request, *args, **kwargs):
         if request.user.user_type < User.TYPE_VALUE_MAP["DistrictLabAdmin"]:
             raise PermissionDenied()

care/facility/api/viewsets/file_upload.py

@@ -1,5 +1,5 @@
 from django_filters import rest_framework as filters
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.mixins import (
     CreateModelMixin,
     DestroyModelMixin,
@@ -18,6 +18,7 @@
     check_permissions,
 )
 from care.facility.models.file_upload import FileUpload
+from care.users.models import User
 
 
 class FileUploadFilter(filters.FilterSet):
@@ -54,6 +55,16 @@
     def get_queryset(self):
         if "file_type" not in self.request.GET:
             raise ValidationError({"file_type": "file_type missing in request params"})
+
+        if self.request.user.user_type in (
+            User.TYPE_VALUE_MAP["StaffReadOnly"],
+            User.TYPE_VALUE_MAP["Staff"],
+        ) and self.request.query_params.get("file_type") in (
+            "PATIENT",
+            "CONSULTATION",
+        ):
+            raise PermissionDenied()
+
         if "associating_id" not in self.request.GET:
             raise ValidationError(
                 {"associating_id": "associating_id missing in request params"}

care/facility/api/viewsets/hospital_doctor.py

@@ -7,6 +7,7 @@
 from care.facility.api.viewsets import FacilityBaseViewset
 from care.facility.models import Facility, HospitalDoctors
 from care.users.models import User
+from care.utils.cache.cache_allowed_facilities import get_accessible_facilities
 
 
 class HospitalDoctorViewSet(FacilityBaseViewset, ListModelMixin):
@@ -24,12 +25,15 @@
             facility__external_id=self.kwargs.get("facility_external_id")
         )
         if user.is_superuser:
-            return queryset
+            pass
         elif self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]:
-            return queryset.filter(facility__state=user.state)
+            queryset = queryset.filter(facility__state=user.state)
         elif self.request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]:
-            return queryset.filter(facility__district=user.district)
-        return queryset.filter(facility__users__id__exact=user.id)
+            queryset = queryset.filter(facility__district=user.district)
+        else:
+            allowed_facilities = get_accessible_facilities(user)
+            queryset = queryset.filter(facility__id__in=allowed_facilities)
+        return queryset
 
     def get_object(self):
         return get_object_or_404(self.get_queryset(), area=self.kwargs.get("pk"))

care/facility/api/viewsets/notification.py

@@ -3,7 +3,7 @@
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework import status
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.generics import get_object_or_404
 from rest_framework.mixins import ListModelMixin, RetrieveModelMixin, UpdateModelMixin
 from rest_framework.permissions import IsAuthenticated, IsAuthenticatedOrReadOnly
@@ -13,6 +13,7 @@
 
 from care.facility.api.serializers.notification import NotificationSerializer
 from care.facility.models.notification import Notification
+from care.users.models import User
 from care.utils.filters.choicefilter import CareChoiceFilter, inverse_choices
 from care.utils.notification_handler import NotificationGenerator
 from care.utils.queryset.facility import get_facility_queryset
@@ -67,6 +68,8 @@
     @action(detail=False, methods=["POST"])
     def notify(self, request, *args, **kwargs):
         user = request.user
+        if user.user_type < User.TYPE_VALUE_MAP["Doctor"]:
+            raise PermissionDenied()
         if "facility" not in request.data or request.data["facility"] == "":
             raise ValidationError({"facility": "is required"})
         if "message" not in request.data or request.data["message"] == "":

care/facility/api/viewsets/patient_external_test.py

@@ -83,6 +83,12 @@
     parser_classes = (MultiPartParser, FormParser, JSONParser)
 
     def get_queryset(self):
+        if self.request.user.user_type in (
+            User.TYPE_VALUE_MAP["StaffReadOnly"],
+            User.TYPE_VALUE_MAP["Staff"],
+        ):
+            return PermissionDenied()
+
         queryset = self.queryset
         if not self.request.user.is_superuser:
             if self.request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]:

care/facility/api/viewsets/patient_sample.py

@@ -6,7 +6,7 @@
 from dry_rest_permissions.generics import DRYPermissionFiltersBase, DRYPermissions
 from rest_framework import mixins, viewsets
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
@@ -117,6 +117,12 @@
         - district - District ID
         - district_name - District name - case insensitive match
         """
+        if (
+            not self.kwargs.get("patient_external_id")
+            and request.user.user_type < User.TYPE_VALUE_MAP["Doctor"]
+        ):
+            raise PermissionDenied()
+
         if settings.CSV_REQUEST_PARAMETER in request.GET:
             queryset = self.filter_queryset(self.get_queryset()).values(
                 *PatientSample.CSV_MAPPING.keys()

care/facility/api/viewsets/shifting.py

@@ -197,7 +197,7 @@ class ShifitngRequestCommentViewSet(
     lookup_field = "external_id"
     queryset = ShiftingRequestComment.objects.all().order_by("-created_date")
 
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, DRYPermissions)
 
     def get_queryset(self):
         queryset = self.queryset.filter(

care/facility/migrations/0001_initial_squashed.py

@@ -825,7 +825,7 @@ class Migration(migrations.Migration):
             },
             bases=(
                 models.Model,
-                care.facility.models.mixins.permissions.asset.AssetsPermissionMixin,
+                # care.facility.models.mixins.permissions.asset.AssetsPermissionMixin,
             ),
         ),
         migrations.CreateModel(

care/facility/models/asset.py

@@ -7,7 +7,9 @@
 from care.facility.models import reverse_choices
 from care.facility.models.facility import Facility
 from care.facility.models.json_schema.asset import ASSET_META
-from care.facility.models.mixins.permissions.asset import AssetsPermissionMixin
+from care.facility.models.mixins.permissions.facility import (
+    FacilityRelatedPermissionMixin,
+)
 from care.users.models import User
 from care.utils.assetintegration.asset_classes import AssetClasses
 from care.utils.models.base import BaseModel
@@ -25,7 +27,7 @@ class AvailabilityStatus(models.TextChoices):
     UNDER_MAINTENANCE = "Under Maintenance"
 
 
-class AssetLocation(BaseModel, AssetsPermissionMixin):
+class AssetLocation(BaseModel, FacilityRelatedPermissionMixin):
     """
     This model is also used to store rooms that the assets are in, Since these rooms are mapped to
     actual rooms in the hospital, Beds are also connected to this model to remove duplication of efforts

care/facility/models/base.py

@@ -1,12 +1,5 @@
-from care.users.models import User
 from care.utils.models.base import BaseModel
 
-READ_ONLY_USER_TYPES = [
-    User.TYPE_VALUE_MAP["DistrictReadOnlyAdmin"],
-    User.TYPE_VALUE_MAP["StateReadOnlyAdmin"],
-    User.TYPE_VALUE_MAP["StaffReadOnly"],
-]
-
 
 def pretty_boolean(val, a="YES", b="NO", c="Not Specified"):
     if val is None:

care/facility/models/daily_round.py

@@ -519,19 +519,11 @@
 
         super(DailyRound, self).save(*args, **kwargs)
 
-    @staticmethod
-    def has_write_permission(request):
-        if "/analyse" not in request.get_full_path():
-            if (
-                request.user.user_type == User.TYPE_VALUE_MAP["DistrictReadOnlyAdmin"]
-                or request.user.user_type == User.TYPE_VALUE_MAP["StateReadOnlyAdmin"]
-                or request.user.user_type == User.TYPE_VALUE_MAP["StaffReadOnly"]
-            ):
-                return False
-        return DailyRound.has_read_permission(request)
-
     @staticmethod
     def has_read_permission(request):
+        if request.user.user_type < User.TYPE_VALUE_MAP["NurseReadOnly"]:
+            return False
+
         consultation = get_object_or_404(
             PatientConsultation,
             external_id=request.parser_context["kwargs"]["consultation_external_id"],
@@ -552,7 +544,21 @@
             )
         )
 
+    @staticmethod
+    def has_write_permission(request):
+        return (
+            request.user.user_type not in User.READ_ONLY_TYPES
+            and DailyRound.has_read_permission(request)
+        )
+
+    @staticmethod
+    def has_analyse_permission(request):
+        return DailyRound.has_read_permission(request)
+
     def has_object_read_permission(self, request):
+        if request.user.user_type < User.TYPE_VALUE_MAP["NurseReadOnly"]:
+            return False
+
         return (
             request.user.is_superuser
             or (
@@ -582,38 +588,9 @@
         )
 
     def has_object_write_permission(self, request):
-        if (
-            request.user.user_type == User.TYPE_VALUE_MAP["DistrictReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StateReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StaffReadOnly"]
-        ):
-            return False
         return (
-            request.user.is_superuser
-            or (
-                self.consultation.patient.facility
-                and self.consultation.patient.facility == request.user.home_facility
-            )
-            or (
-                self.consultation.assigned_to == request.user
-                or request.user == self.consultation.patient.assigned_to
-            )
-            or (
-                request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]
-                and (
-                    self.consultation.patient.facility
-                    and request.user.district
-                    == self.consultation.patient.facility.district
-                )
-            )
-            or (
-                request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]
-                and (
-                    self.consultation.patient.facility
-                    and request.user.state
-                    == self.consultation.patient.facility.district
-                )
-            )
+            request.user.user_type not in User.READ_ONLY_TYPES
+            and self.has_object_read_permission(request)
         )
 
     def has_object_asset_read_permission(self, request):

care/facility/models/mixins/permissions/asset.py

@@ -1,8 +1,5 @@
 from dry_rest_permissions.generics import DRYPermissions
 
-from care.facility.models.mixins.permissions.base import BasePermissionMixin
-from care.users.models import User
-
 
 class IsAssetUser:
     def has_permission(self, request, view):
@@ -23,24 +20,3 @@ class DRYAssetPermissions(DRYPermissions):
 
     def _get_action(self, action):
         return f"asset_{super()._get_action(action)}"
-
-
-class AssetsPermissionMixin(BasePermissionMixin):
-    def has_object_read_permission(self, request):
-        return True
-
-    def has_object_write_permission(self, request):
-        if (
-            request.user.user_type == User.TYPE_VALUE_MAP["DistrictReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StateReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StaffReadOnly"]
-        ):
-            return False
-
-        return True
-
-    def has_object_update_permission(self, request):
-        return self.has_object_write_permission(request)
-
-    def has_object_destroy_permission(self, request):
-        return self.has_object_write_permission(request)

care/facility/models/mixins/permissions/base.py

@@ -8,11 +8,7 @@ def has_read_permission(request):
 
     @staticmethod
     def has_write_permission(request):
-        if (
-            request.user.user_type == User.TYPE_VALUE_MAP["DistrictReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StateReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StaffReadOnly"]
-        ):
+        if request.user.user_type in User.READ_ONLY_TYPES:
             return False
         return (
             request.user.is_superuser
@@ -36,11 +32,7 @@ def has_object_read_permission(self, request):
         )
 
     def has_object_update_permission(self, request):
-        if (
-            request.user.user_type == User.TYPE_VALUE_MAP["DistrictReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StateReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StaffReadOnly"]
-        ):
+        if request.user.user_type in User.READ_ONLY_TYPES:
             return False
         return (request.user.is_superuser) or (
             (hasattr(self, "created_by") and request.user == self.created_by)
@@ -57,11 +49,7 @@ def has_object_update_permission(self, request):
         )
 
     def has_object_destroy_permission(self, request):
-        if (
-            request.user.user_type == User.TYPE_VALUE_MAP["DistrictReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StateReadOnlyAdmin"]
-            or request.user.user_type == User.TYPE_VALUE_MAP["StaffReadOnly"]
-        ):
+        if request.user.user_type in User.READ_ONLY_TYPES:
             return False
         return request.user.is_superuser or (
             hasattr(self, "created_by") and request.user == self.created_by