Fix permision issues

Author: vigneshhari

care/emr/api/viewsets/notes.py

@@ -42,6 +42,15 @@ def get_patient(self):
             Patient, external_id=self.kwargs["patient_external_id"]
         )
 
+    def authorize_create(self, instance):
+        pass
+
+    def authorize_update(self, request_obj, model_instance):
+        pass
+
+    def authorize_delete(self, instance):
+        pass
+
     def perform_create(self, instance):
         instance.patient = self.get_patient()
         if instance.encounter and instance.encounter.patient != instance.patient:

care/emr/api/viewsets/patient.py

@@ -36,7 +36,22 @@ class PatientViewSet(EMRModelViewSet):
     filterset_class = PatientFilters
     filter_backends = [DjangoFilterBackend]
 
-    # TODO : Retrieve will work if an active encounter exists on the patient
+    def authorize_update(self, request_obj, model_instance):
+        if not AuthorizationController.call(
+            "can_write_patient_obj", self.request.user , model_instance
+        ):
+            raise PermissionDenied("Cannot Create Patient")
+
+
+    def authorize_create(self, request_obj):
+        if not AuthorizationController.call(
+            "can_create_patient", self.request.user
+        ):
+            raise PermissionDenied("Cannot Create Patient")
+
+    def authorize_delete(self, instance):
+        if not self.request.user.is_superuser:
+            raise PermissionDenied("Cannot delete patient")
 
     def get_queryset(self):
         qs = (
@@ -121,6 +136,7 @@ def add_user(self, request, *args, **kwargs):
         user = get_object_or_404(User, external_id=request_data.user)
         role = get_object_or_404(RoleModel, external_id=request_data.role)
         patient = self.get_object()
+        self.authorize_update({}, patient)
         if PatientUser.objects.filter(user=user, patient=patient).exists():
             raise ValidationError("User already exists")
         PatientUser.objects.create(user=user, patient=patient, role=role)
@@ -134,6 +150,7 @@ def delete_user(self, request, *args, **kwargs):
         request_data = self.PatientUserDeleteSpec(**self.request.data)
         user = get_object_or_404(User, external_id=request_data.user)
         patient = self.get_object()
+        self.authorize_update({}, patient)
         if not PatientUser.objects.filter(user=user, patient=patient).exists():
             raise ValidationError("User does not exist")
         PatientUser.objects.filter(user=user, patient=patient).delete()

care/emr/resources/facility/spec.py

@@ -20,8 +20,8 @@ class FacilityBareMinimumSpec(EMRResource):
 
 class FacilityBaseSpec(FacilityBareMinimumSpec):
     description: str
-    longitude: float
-    latitude: float
+    longitude: float | None = None
+    latitude: float | None = None
     pincode: int
     address: str
     phone_number: str

care/security/authorization/patient.py

@@ -35,6 +35,8 @@ def find_roles_on_patient(self, user, patient):
         )
         return role_ids.union(set(roles))
 
+
+
     def can_view_patient_obj(self, user, patient):
         if user.is_superuser:
             return True
@@ -53,6 +55,13 @@ def can_write_patient_obj(self, user, patient):
             role__in=user_roles,
         ).exists()
 
+    def can_create_patient(self, user):
+        return self.check_permission_in_facility_organization(
+            [PatientPermissions.can_create_patient.name],
+            user
+        )
+
+
     def can_view_clinical_data(self, user, patient):
         if user.is_superuser:
             return True

care/security/permissions/facility.py

@@ -13,7 +13,7 @@
 
 class FacilityPermissions(enum.Enum):
     can_create_facility = Permission(
-        "Can Read on Facility",
+        "Can Create on Facility",
         "Something Here",
         PermissionContext.FACILITY,
         [GEO_ADMIN, ADMIN_ROLE],