""" Management command to create default roles and groups for PX360. """ from django.contrib.auth.models import Group, Permission from django.contrib.contenttypes.models import ContentType from django.core.management.base import BaseCommand from apps.accounts.models import Role class Command(BaseCommand): help = "Create default roles and groups for PX360 system" def handle(self, *args, **options): """Create default roles""" roles_config = [ { "name": "px_admin", "display_name": "PX Admin", "description": "Full system access. Can manage all hospitals, departments, and configurations.", "level": 100, }, { "name": "hospital_admin", "display_name": "Hospital Admin", "description": "Hospital-level access. Can manage their hospital and its departments.", "level": 80, }, { "name": "department_manager", "display_name": "Department Manager", "description": "Department-level access. Can manage their department.", "level": 60, }, { "name": "px_staff", "display_name": "PX Staff", "description": "Can manage PX actions, complaints, and surveys.", "level": 50, }, { "name": "physician", "display_name": "Physician", "description": "Can view patient feedback and their own ratings.", "level": 40, }, { "name": "nurse", "display_name": "Nurse", "description": "Can view department feedback.", "level": 30, }, { "name": "staff", "display_name": "Staff", "description": "Basic staff access.", "level": 20, }, { "name": "viewer", "display_name": "Viewer", "description": "Read-only access to reports and dashboards.", "level": 10, }, { "name": "executive", "display_name": "Executive", "description": "C-Suite and top management. System-wide analytics, executive summaries, and predictive insights access.", "level": 90, }, { "name": "px_source_user", "display_name": "PX Source User", "description": "External source users who can create complaints and inquiries from their assigned source. Limited access to their own created data only.", "level": 5, }, ] created_count = 0 updated_count = 0 for role_data in roles_config: # Get or create group group, group_created = Group.objects.get_or_create(name=role_data["display_name"]) if group_created: self.stdout.write(self.style.SUCCESS(f"Created group: {group.name}")) # Get or create role role, role_created = Role.objects.get_or_create( name=role_data["name"], defaults={ "display_name": role_data["display_name"], "description": role_data["description"], "group": group, "level": role_data["level"], }, ) if role_created: created_count += 1 self.stdout.write(self.style.SUCCESS(f"āœ“ Created role: {role.display_name} (level {role.level})")) else: # Update existing role role.display_name = role_data["display_name"] role.description = role_data["description"] role.level = role_data["level"] role.group = group role.save() updated_count += 1 self.stdout.write(self.style.WARNING(f"ā†» Updated role: {role.display_name}")) # Assign permissions based on role level self._assign_permissions(role, group) self.stdout.write( self.style.SUCCESS(f"\nāœ“ Roles setup complete: {created_count} created, {updated_count} updated") ) self.stdout.write(self.style.SUCCESS(f"Total roles: {Role.objects.count()}")) def _assign_permissions(self, role, group): """ Assign permissions to group based on role level. This is a basic implementation - expand as needed. """ # Clear existing permissions group.permissions.clear() # Get all permissions all_permissions = Permission.objects.all() # PX Admin gets all permissions if role.name == "px_admin": group.permissions.set(all_permissions) return # Hospital Admin gets most permissions except user management if role.name == "hospital_admin": permissions = Permission.objects.exclude( content_type__app_label="auth", codename__in=["add_user", "delete_user", "change_user"] ) group.permissions.set(permissions) return # Department Manager gets department-level permissions if role.name == "department_manager": # Add view permissions for most models view_permissions = Permission.objects.filter(codename__startswith="view_") group.permissions.set(view_permissions) return # PX Staff gets complaint and action permissions if role.name == "px_staff": staff_permissions = Permission.objects.filter( content_type__app_label__in=["complaints", "px_action_center", "surveys"] ) group.permissions.set(staff_permissions) return # Executive gets view permissions system-wide + executive_summary access if role.name == "executive": view_permissions = Permission.objects.filter(codename__startswith="view_") exec_perms = Permission.objects.filter(content_type__app_label="executive_summary") group.permissions.set(list(view_permissions) + list(exec_perms)) return # PX Source User gets limited complaint/inquiry permissions if role.name == "px_source_user": source_user_perms = Permission.objects.filter( content_type__app_label__in=["complaints"], codename__in=[ "add_complaint", "view_complaint", "change_complaint", "add_inquiry", "view_inquiry", "change_inquiry", ], ) group.permissions.set(source_user_perms) return # Others get basic view permissions view_permissions = Permission.objects.filter(codename__startswith="view_") group.permissions.set(view_permissions)