Fix Patient Workflows and Permissions

docs/changelog.rst

@@ -5,6 +5,7 @@ Changelog
 1.4.0 (unreleased)
 ------------------
 
+- #69 Fix Patient Workflows and Permissions
 - #68 Allow client local patients
 - #66 Fix widget view mode
 - #65 Fix cannot create partitions from samples with Patient assigned

src/senaite/patient/api.py

@@ -25,6 +25,7 @@
 from bika.lims.utils import tmpID
 from dateutil.relativedelta import relativedelta
 from senaite.patient.config import PATIENT_CATALOG
+from senaite.patient.permissions import AddPatient
 from zope.component import getUtility
 from zope.component.interfaces import IFactory
 from zope.event import notify
@@ -155,12 +156,15 @@ def create_temporary_patient():
     return patient
 
 
-def store_temporary_patient(patient):
+def store_temporary_patient(container, patient):
     """Store temporary patient to the patients folder
+
+    :param container: The container where the patient should be stored
+    :param patient: A temporary patient object
     """
-    portal = api.get_portal()
-    container = portal.patients
+    # Notify `ObjectCreateEvent` to generate a UID first
     notify(ObjectCreatedEvent(patient))
+    # set the patient in the container
     container._setObject(patient.id, patient)
     patient = container.get(patient.getId())
     return patient
@@ -333,3 +337,22 @@ def is_patient_allowed_in_client():
     allowed = api.get_registry_record(
         "senaite.patient.allow_patients_in_clients", False)
     return allowed
+
+
+def get_patient_folder():
+    """Returns the global patient folder
+
+    :returns: global patients folder
+    """
+    portal = api.get_portal()
+    return portal.patients
+
+
+def is_patient_creation_allowed(container):
+    """Check if the security context allows to add a new patient
+
+    :param container: The container to check the permission
+    :returns: True if it is allowed to create a patient in the container,
+              otherwise False
+    """
+    return api.security.check_permission(AddPatient, container)

src/senaite/patient/browser/configure.zcml

@@ -17,21 +17,24 @@
       for="senaite.patient.content.patientfolder.IPatientFolder"
       class=".patientfolder.PatientFolderView"
       permission="zope2.View"
+      layer="senaite.patient.interfaces.ISenaitePatientLayer"
       />
 
   <!-- Patient Controlpanel -->
   <browser:page
       name="patient-controlpanel"
       for="Products.CMFPlone.interfaces.IPloneSiteRoot"
       class=".controlpanel.PatientControlPanelView"
-      permission="senaite.core.permissions.ManageBika"
-      layer="senaite.patient.interfaces.ISenaitePatientLayer" />
+      permission="senaite.patient.permissions.ManagePatients"
+      layer="senaite.patient.interfaces.ISenaitePatientLayer"
+      />
 
   <!-- Static directory for js, css and image resources -->
   <plone:static
     directory="static"
     type="plone"
-    name="senaite.patient.static" />
+    name="senaite.patient.static"
+    />
 
   <!-- Static Resources Viewlet -->
   <browser:viewlet
@@ -40,6 +43,7 @@
     class="senaite.core.browser.viewlets.resources.ResourcesViewlet"
     permission="zope2.View"
     template="./static/resources.pt"
-    layer="senaite.patient.interfaces.ISenaitePatientLayer" />
+    layer="senaite.patient.interfaces.ISenaitePatientLayer"
+    />
 
 </configure>

src/senaite/patient/browser/patientfolder.py

@@ -30,6 +30,7 @@
 from senaite.patient.api import to_identifier_type_name
 from senaite.patient.api import tuplify_identifiers
 from senaite.patient.catalog import PATIENT_CATALOG
+from senaite.patient.permissions import AddPatient
 
 
 class PatientFolderView(ListingView):
@@ -57,7 +58,7 @@ def __init__(self, context, request):
         self.context_actions = {
             _("Add"): {
                 "url": "++add++Patient",
-                "permission": "Add portal content",
+                "permission": AddPatient,
                 "icon": "++resource++bika.lims.images/add.png"}
             }
 

src/senaite/patient/configure.zcml

@@ -85,6 +85,7 @@
     description="Run various configuration actions"
     handler=".setuphandlers.setup_handler">
     <depends name="typeinfo"/>
+    <depends name="workflow"/>
   </genericsetup:importStep>
 
   <!-- Uninstall profile -->

src/senaite/patient/permissions.py

@@ -18,10 +18,13 @@
 # Copyright 2020-2022 by it's authors.
 # Some rights reserved, see README and LICENSE.
 
-ManagePatients = "senaite.patient: Manage Patients"
-
-AddPatientFolder = "senaite.patient: Add PatientFolder"
+# Add permission for our custom content types.
+# Slso see `initialize` function in `__init__.py`
 AddPatient = "senaite.patient: Add Patient"
+AddPatientFolder = "senaite.patient: Add PatientFolder"
+
+# Permission that governs the control panel view
+ManagePatients = "senaite.patient: Manage Patients"
 
 # Transition permissions
 TransitionActivate = "senaite.patient: Transition: Activate"

src/senaite/patient/permissions.zcml

@@ -4,9 +4,9 @@
 
   <permission id="senaite.patient.permissions.ManagePatients" title="senaite.patient: Manage Patients"/>
 
-  <!-- Content permissions -->
-  <permission id="senaite.patient.permissions.AddPatientFolder" title="senaite.patient: Add Patient Folder"/>
+  <!-- Add content permissions -->
   <permission id="senaite.patient.permissions.AddPatient" title="senaite.patient: Add Patient"/>
+  <permission id="senaite.patient.permissions.AddPatientFolder" title="senaite.patient: Add Patient Folder"/>
 
   <!-- Transition permissions -->
   <permission id="senaite.patient.permissions.TransitionActivate" title="senaite.patient: Transition: Activate"/>

src/senaite/patient/profiles/default/metadata.xml

@@ -1,14 +1,6 @@
 <?xml version="1.0"?>
-<!-- This file contains add-on dependency and version information. Is read
-  during Plone start-up and is required to be present and well-formatted for the
-  add-on to appear in the installer control panel.
-  If dependencies are defined, "portal_setup" installs the profiles listed as
-  dependencies before installing this add-on own profile.
--->
 <metadata>
-  <version>1407</version>
-
-  <!-- Be sure to install the following dependencies if not yet installed -->
+  <version>1408</version>
   <dependencies>
     <dependency>profile-senaite.lims:default</dependency>
   </dependencies>

src/senaite/patient/profiles/default/rolemap.xml

@@ -17,17 +17,24 @@
       <role name="LabClerk"/>
       <role name="LabManager"/>
       <role name="Manager"/>
+      <!-- for client local patients -->
+      <role name="Owner"/>
     </permission>
 
     <!-- Transition permissions -->
     <permission name="senaite.patient: Transition: Activate" acquire="False">
-      <role name="LabManager"/>
       <role name="LabClerk"/>
+      <role name="LabManager"/>
       <role name="Manager"/>
+      <!-- for client local patients -->
+      <role name="Owner"/>
     </permission>
     <permission name="senaite.patient: Transition: Deactivate" acquire="False">
+      <role name="LabClerk"/>
       <role name="LabManager"/>
       <role name="Manager"/>
+      <!-- for client local patients -->
+      <role name="Owner"/>
     </permission>
 
     <!-- Permissions for Sample fields

src/senaite/patient/profiles/default/workflows/senaite_patient_folder_workflow/definition.xml

@@ -8,77 +8,68 @@
              manager_bypass="False"
              i18n:domain="senaite.patient">
 
-  <!-- PLONE permissions -->
+  <!-- MANAGED PERMISSIONS -->
   <permission>Add portal content</permission>
   <permission>Access contents information</permission>
   <permission>Delete objects</permission>
   <permission>List folder contents</permission>
   <permission>Modify portal content</permission>
   <permission>View</permission>
+  <!-- Custom Add permission to create Patients in this folder
+       Also see `initialize` function in `__init__.py`
+  -->
+  <permission>senaite.patient: Add Patient</permission>
+  <!-- /MANAGED PERMISSIONS -->
 
-  <!-- State: active -->
+
+  <!-- State: active (initial) -->
   <state state_id="active" title="Active" i18n:attributes="title">
+
+    <!-- TRANSITIONS -->
     <exit-transition transition_id="" />
+    <!-- /TRANSITIONS -->
+
+    <!-- PERMISSION MAPPINGS -->
+    <!-- This permission governs if the patients folder should appear in searches -->
     <permission-map name="Access contents information" acquired="False">
-      <!-- All except Anonymous and Client -->
-      <permission-role>Analyst</permission-role>
-      <permission-role>ClientGuest</permission-role>
       <permission-role>LabClerk</permission-role>
       <permission-role>LabManager</permission-role>
-      <permission-role>Preserver</permission-role>
-      <permission-role>RegulatoryInspector</permission-role>
-      <permission-role>Sampler</permission-role>
-      <permission-role>SamplingCoordinator</permission-role>
-      <!-- Plone roles -->
       <permission-role>Manager</permission-role>
-      <permission-role>Owner</permission-role>
-      <permission-role>Site Administrator</permission-role>
     </permission-map>
-    <permission-map name="Delete objects" acquired="False" />
-    <permission-map name="List folder contents" acquired="False">
-      <!-- All except Anonymous and Client -->
-      <permission-role>Analyst</permission-role>
-      <permission-role>ClientGuest</permission-role>
+    <!-- Roles needed to add other contents inside the patients folder.
+         Not needed at the moment, but we use the default roles -->
+    <permission-map name="Add portal content" acquired="False">
       <permission-role>LabClerk</permission-role>
       <permission-role>LabManager</permission-role>
-      <permission-role>Preserver</permission-role>
-      <permission-role>RegulatoryInspector</permission-role>
-      <permission-role>Sampler</permission-role>
-      <permission-role>SamplingCoordinator</permission-role>
-      <!-- Plone roles -->
       <permission-role>Manager</permission-role>
-      <permission-role>Site Administrator</permission-role>
     </permission-map>
-    <permission-map name="Add portal content" acquired="False">
-      <permission-role>Client</permission-role>
+    <!-- Roles that are needed to create a new Patient -->
+    <permission-map name="senaite.patient: Add Patient" acquired="False">
       <permission-role>LabClerk</permission-role>
       <permission-role>LabManager</permission-role>
-      <!-- Plone roles -->
       <permission-role>Manager</permission-role>
     </permission-map>
-    <permission-map name="Modify portal content" acquired="False">
+    <!-- Never allow to delete contents -->
+    <permission-map name="Delete objects" acquired="False">
+    </permission-map>
+    <!-- Roles needed to list all patients -->
+    <permission-map name="List folder contents" acquired="False">
       <permission-role>LabClerk</permission-role>
       <permission-role>LabManager</permission-role>
-      <!-- Plone roles -->
       <permission-role>Manager</permission-role>
-      <permission-role>Owner</permission-role>
     </permission-map>
+    <!-- Only the Manager can modify the folder -->
+    <permission-map name="Modify portal content" acquired="False">
+      <permission-role>Manager</permission-role>
+    </permission-map>
+    <!-- Roles that are needed to see the patients folder / that it appears in
+         the side navigation bar -->
     <permission-map name="View" acquired="False">
-      <!-- All except Anonymous -->
-      <permission-role>Analyst</permission-role>
-      <permission-role>Client</permission-role>
-      <permission-role>ClientGuest</permission-role>
       <permission-role>LabClerk</permission-role>
       <permission-role>LabManager</permission-role>
-      <permission-role>Preserver</permission-role>
-      <permission-role>RegulatoryInspector</permission-role>
-      <permission-role>Sampler</permission-role>
-      <permission-role>SamplingCoordinator</permission-role>
-      <!-- Plone roles -->
       <permission-role>Manager</permission-role>
-      <permission-role>Owner</permission-role>
-      <permission-role>Site Administrator</permission-role>
     </permission-map>
+    <!-- /PERMISSION MAPPINGS -->
   </state>
 
   <variable variable_id="action" for_catalog="False" for_status="True" update_always="True">