# PX Source User - Strict Access Control ## Overview PX Source Users have **STRICT LIMITED ACCESS** to the system. They can ONLY access: 1. `/px-sources/*` pages (their dedicated portal) 2. Password change page 3. Basic settings page 4. Logout **ALL other URLs are blocked and redirected to `/px-sources/dashboard/`** --- ## Implementation ### 1. Middleware (`apps/px_sources/middleware.py`) ```python class SourceUserRestrictionMiddleware: """ STRICT middleware that restricts source users to ONLY: 1. /px-sources/* pages 2. Password change 3. Settings 4. Logout """ ALLOWED_PATH_PREFIXES = ['/px-sources/'] ALLOWED_URL_NAMES = { 'accounts:password_change', 'accounts:settings', 'accounts:logout', 'accounts:login', } ``` ### 2. Settings Configuration Added to `config/settings/base.py`: ```python MIDDLEWARE = [ ... 'apps.px_sources.middleware.SourceUserRestrictionMiddleware', ... ] ``` ### 3. View-Level Enforcement Updated views to redirect source users: - `CommandCenterView.dispatch()` - redirects to `/px-sources/dashboard/` - `my_dashboard()` - redirects to `/px-sources/dashboard/` - `@block_source_user` decorator - redirects to `/px-sources/dashboard/` --- ## Allowed URLs for Source Users | URL | Access | Description | |-----|--------|-------------| | `/px-sources/dashboard/` | ✅ | Source User Dashboard | | `/px-sources/complaints/` | ✅ | List their complaints | | `/px-sources/complaints/new/` | ✅ | Create new complaint | | `/px-sources/inquiries/` | ✅ | List their inquiries | | `/px-sources/inquiries/new/` | ✅ | Create new inquiry | | `/accounts/password/change/` | ✅ | Change password | | `/accounts/settings/` | ✅ | Basic settings | | `/accounts/logout/` | ✅ | Logout | | `/static/*` | ✅ | Static files (CSS/JS) | | `/media/*` | ✅ | Media files | | `/i18n/*` | ✅ | Language switching | --- ## Blocked URLs (Redirected to `/px-sources/dashboard/`) | URL | Blocked | Behavior | |-----|---------|----------| | `/` | ✅ | Redirected | | `/dashboard/my/` | ✅ | Redirected | | `/dashboard/admin-evaluation/` | ✅ | Redirected | | `/analytics/*` | ✅ | Redirected | | `/surveys/*` | ✅ | Redirected | | `/complaints/` | ✅ | Redirected | | `/complaints/inquiries/` | ✅ | Redirected | | `/organizations/*` | ✅ | Redirected | | `/config/*` | ✅ | Redirected | | `/actions/*` | ✅ | Redirected | | `/physicians/*` | ✅ | Redirected | | `/px-sources/` (admin pages) | ✅ | Redirected | | `/px-sources/new/` | ✅ | Redirected | | `/px-sources//edit/` | ✅ | Redirected | --- ## Testing ### Test Cases 1. **Login as Source User** - Visit: `/` - Expected: Redirected to `/px-sources/dashboard/` 2. **Try to access Command Center** - Visit: `/dashboard/my/` - Expected: Redirected to `/px-sources/dashboard/` 3. **Try to access Surveys** - Visit: `/surveys/` - Expected: Redirected to `/px-sources/dashboard/` 4. **Try to access Staff** - Visit: `/organizations/staff/` - Expected: Redirected to `/px-sources/dashboard/` 5. **Access Source User Portal** - Visit: `/px-sources/dashboard/` - Expected: ✅ Works! 6. **Access Password Change** - Visit: `/accounts/password/change/` - Expected: ✅ Works! 7. **Create Complaint** - Visit: `/px-sources/complaints/new/` - Expected: ✅ Works! --- ## Security Notes 1. **Middleware runs on EVERY request** - Cannot be bypassed 2. **No error messages** - Silent redirect for better UX 3. **Whitelist approach** - Only explicitly allowed URLs work 4. **Superusers excluded** - Superusers bypass all restrictions 5. **Static files allowed** - Required for CSS/JS to work --- ## Files Modified 1. `apps/px_sources/middleware.py` - Updated `SourceUserRestrictionMiddleware` 2. `config/settings/base.py` - Added middleware to MIDDLEWARE list 3. `apps/dashboard/views.py` - Added redirects in views 4. `apps/core/decorators.py` - Updated `@block_source_user` decorator --- **Last Updated**: 2026-02-25