""" Services for Staff management """ import secrets import string from django.contrib.auth import get_user_model from django.template.loader import render_to_string from django.conf import settings from django.urls import reverse from django.utils import timezone from apps.core.services import AuditService from apps.notifications.services import NotificationService User = get_user_model() class StaffService: """Service for managing staff user accounts""" @staticmethod def generate_username(staff): """ Generate a unique username from staff name. Format: first.last (lowercase) If duplicate exists, append number. """ base_username = f"{staff.first_name.lower()}.{staff.last_name.lower()}" username = base_username counter = 1 # Ensure uniqueness while User.objects.filter(username=username).exists(): username = f"{base_username}{counter}" counter += 1 return username @staticmethod def generate_password(length=12): """ Generate a secure random password. """ alphabet = string.ascii_letters + string.digits + string.punctuation password = ''.join(secrets.choice(alphabet) for _ in range(length)) return password @staticmethod def create_user_for_staff(staff, role='staff', request=None): """ Create a User account for a Staff member. If a user with the same email already exists, link it to the staff member instead. Args: staff: Staff instance role: Role name to assign (default: 'staff') request: HTTP request for audit logging Returns: tuple: (User instance, was_created: bool, password: str or None) - was_created is True if a new user was created - was_created is False if an existing user was linked - password is the generated password for new users, None for linked users Raises: ValueError: If staff already has a user account or has no email """ if staff.user: raise ValueError("Staff member already has a user account") # Generate email (required for authentication) if not staff.email: raise ValueError("Staff member must have an email address") # Check if user with this email already exists existing_user = User.objects.filter(email=staff.email).first() if existing_user: # Link existing user to staff staff.user = existing_user staff.save(update_fields=['user']) # Update user's organization data if not set if not existing_user.hospital: existing_user.hospital = staff.hospital if not existing_user.department: existing_user.department = staff.department if not existing_user.employee_id: existing_user.employee_id = staff.employee_id existing_user.save(update_fields=['hospital', 'department', 'employee_id']) # Assign role if not already assigned from apps.accounts.models import Role as RoleModel try: role_obj = RoleModel.objects.get(name=role) if not existing_user.groups.filter(id=role_obj.group.id).exists(): existing_user.groups.add(role_obj.group) except RoleModel.DoesNotExist: pass # Log the action if request: AuditService.log_from_request( event_type='other', description=f"Existing user account linked to staff member {staff.get_full_name()}", request=request, content_object=existing_user, metadata={ 'staff_id': str(staff.id), 'staff_name': staff.get_full_name(), 'user_id': str(existing_user.id), 'action': 'linked_existing_user' } ) return existing_user, False, None # Existing user was linked, no password # Create new user account # Generate username (optional, for backward compatibility) username = StaffService.generate_username(staff) password = StaffService.generate_password() # Create user - email is now the username field # Note: create_user() already hashes the password, so no need to call set_password() separately user = User.objects.create_user( email=staff.email, password=password, first_name=staff.first_name, last_name=staff.last_name, username=username, # Optional field employee_id=staff.employee_id, hospital=staff.hospital, department=staff.department, is_active=True, is_provisional=False ) # Assign role from apps.accounts.models import Role as RoleModel try: role_obj = RoleModel.objects.get(name=role) user.groups.add(role_obj.group) except RoleModel.DoesNotExist: pass # Link to staff staff.user = user staff.save(update_fields=['user']) # Log the action if request: AuditService.log_from_request( event_type='user_creation', description=f"User account created for staff member {staff.get_full_name()}", request=request, content_object=user, metadata={ 'staff_id': str(staff.id), 'staff_name': staff.get_full_name(), 'role': role, 'action': 'created_new_user' } ) return user, True, password # New user was created with password @staticmethod def link_user_to_staff(staff, user_id, request=None): """ Link an existing User account to a Staff member. Args: staff: Staff instance user_id: UUID of the user to link request: HTTP request for audit logging Returns: Staff: Updated staff instance Raises: ValueError: If staff already has a user account or user not found """ if staff.user: raise ValueError("Staff member already has a user account") try: user = User.objects.get(id=user_id) except User.DoesNotExist: raise ValueError("User not found") # Link to staff staff.user = user staff.save(update_fields=['user']) # Update user's organization data if not user.hospital: user.hospital = staff.hospital if not user.department: user.department = staff.department if not user.employee_id: user.employee_id = staff.employee_id user.save(update_fields=['hospital', 'department', 'employee_id']) # Log the action if request: AuditService.log_from_request( event_type='other', description=f"User {user.email} linked to staff member {staff.get_full_name()}", request=request, content_object=staff, metadata={'user_id': str(user.id)} ) return staff @staticmethod def unlink_user_from_staff(staff, request=None): """ Remove User account association from a Staff member. Args: staff: Staff instance request: HTTP request for audit logging Returns: Staff: Updated staff instance Raises: ValueError: If staff has no user account """ if not staff.user: raise ValueError("Staff member has no user account") user = staff.user staff.user = None staff.save(update_fields=['user']) # Log the action if request: AuditService.log_from_request( event_type='other', description=f"User {user.email} unlinked from staff member {staff.get_full_name()}", request=request, content_object=staff, metadata={'user_id': str(user.id)} ) return staff @staticmethod def send_credentials_email(staff, password, request=None): """ Send login credentials email to staff member using NotificationService. Args: staff: Staff instance password: Generated password request: HTTP request for building absolute URLs (optional) """ if not staff.email: raise ValueError("Staff member has no email address") user = staff.user if not user: raise ValueError("Staff member has no user account") # Build login URL if request: login_url = request.build_absolute_uri(reverse('accounts:login')) else: from django.contrib.sites.models import Site try: site = Site.objects.get_current() login_url = f"https://{site.domain}{reverse('accounts:login')}" except: login_url = settings.LOGIN_URL or '/accounts/login/' # Render email content context = { 'staff': staff, 'user': user, 'password': password, 'login_url': login_url, } subject = "Your PX360 Account Credentials" html_message = render_to_string('organizations/emails/staff_credentials.html', context) # Create plain text version plain_message = f"""Welcome to PX360! Dear {staff.get_full_name()}, Your PX360 account has been created successfully. Below are your login credentials: Username: {user.username} Password: {password} Email: {staff.email} Login URL: {login_url} Security Notice: Please change your password after your first login for security purposes. If you have any questions or need assistance, please contact your system administrator. Best regards, The PX360 Team """ # Send email using NotificationService notification_log = NotificationService.send_email( email=staff.email, subject=subject, message=plain_message, html_message=html_message, related_object=staff, metadata={ 'notification_type': 'staff_credentials', 'staff_id': str(staff.id), 'user_id': str(user.id), 'username': user.username } ) # Log the action if request: AuditService.log_from_request( event_type='other', description=f"Credentials email sent to {staff.email} for staff member {staff.get_full_name()}", request=request, content_object=staff, metadata={ 'notification_log_id': str(notification_log.id) if notification_log else None } ) return notification_log @staticmethod def reset_password_and_resend_credentials(staff, request=None): """ Reset user password and resend credentials email. Args: staff: Staff instance request: HTTP request for building absolute URLs and audit logging Returns: tuple: (new_password: str, notification_log: NotificationLog) Raises: ValueError: If staff has no user account or no email """ if not staff.user: raise ValueError("Staff member has no user account") if not staff.email: raise ValueError("Staff member has no email address") # Generate new password new_password = StaffService.generate_password() # Reset password staff.user.set_password(new_password) staff.user.save(update_fields=['password']) # Send credentials email notification_log = StaffService.send_credentials_email(staff, new_password, request) # Log the action if request: AuditService.log_from_request( event_type='password_reset', description=f"Password reset and credentials resent to {staff.email} for staff member {staff.get_full_name()}", request=request, content_object=staff, metadata={ 'user_id': str(staff.user.id), 'notification_log_id': str(notification_log.id) if notification_log else None } ) return new_password, notification_log @staticmethod def get_staff_type_role(staff_type): """ Map staff_type to role name. Currently all staff get the 'staff' role. """ role_mapping = { 'physician': 'staff', 'nurse': 'staff', 'admin': 'staff', 'other': 'staff' } return role_mapping.get(staff_type, 'staff')