marwan/HH
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
HH/SOURCE_USER_STRICT_ACCESS.md
ismail 01fa26c59a updates
2026-03-09 16:10:24 +03:00

4.0 KiB
Raw Blame History

PX Source User - Strict Access Control

Overview

PX Source Users have STRICT LIMITED ACCESS to the system. They can ONLY access:

  1. /px-sources/* pages (their dedicated portal)
  2. Password change page
  3. Basic settings page
  4. Logout

ALL other URLs are blocked and redirected to /px-sources/dashboard/

Implementation

1. Middleware (apps/px_sources/middleware.py)

class SourceUserRestrictionMiddleware:
    """
    STRICT middleware that restricts source users to ONLY:
    1. /px-sources/* pages
    2. Password change
    3. Settings
    4. Logout
    """
    
    ALLOWED_PATH_PREFIXES = ['/px-sources/']
    ALLOWED_URL_NAMES = {
        'accounts:password_change',
        'accounts:settings',
        'accounts:logout',
        'accounts:login',
    }

2. Settings Configuration

Added to config/settings/base.py:

MIDDLEWARE = [
    ...
    'apps.px_sources.middleware.SourceUserRestrictionMiddleware',
    ...
]

3. View-Level Enforcement

Updated views to redirect source users:

  • CommandCenterView.dispatch() - redirects to /px-sources/dashboard/
  • my_dashboard() - redirects to /px-sources/dashboard/
  • @block_source_user decorator - redirects to /px-sources/dashboard/

Allowed URLs for Source Users

URL Access Description
/px-sources/dashboard/ Source User Dashboard
/px-sources/complaints/ List their complaints
/px-sources/complaints/new/ Create new complaint
/px-sources/inquiries/ List their inquiries
/px-sources/inquiries/new/ Create new inquiry
/accounts/password/change/ Change password
/accounts/settings/ Basic settings
/accounts/logout/ Logout
/static/* Static files (CSS/JS)
/media/* Media files
/i18n/* Language switching

Blocked URLs (Redirected to /px-sources/dashboard/)

URL Blocked Behavior
/ Redirected
/dashboard/my/ Redirected
/dashboard/admin-evaluation/ Redirected
/analytics/* Redirected
/surveys/* Redirected
/complaints/ Redirected
/complaints/inquiries/ Redirected
/organizations/* Redirected
/config/* Redirected
/actions/* Redirected
/physicians/* Redirected
/px-sources/ (admin pages) Redirected
/px-sources/new/ Redirected
/px-sources/<id>/edit/ Redirected

Testing

Test Cases

  1. Login as Source User

    • Visit: /
    • Expected: Redirected to /px-sources/dashboard/

  2. Try to access Command Center

    • Visit: /dashboard/my/
    • Expected: Redirected to /px-sources/dashboard/

  3. Try to access Surveys

    • Visit: /surveys/
    • Expected: Redirected to /px-sources/dashboard/

  4. Try to access Staff

    • Visit: /organizations/staff/
    • Expected: Redirected to /px-sources/dashboard/

  5. Access Source User Portal

    • Visit: /px-sources/dashboard/
    • Expected: Works!

  6. Access Password Change

    • Visit: /accounts/password/change/
    • Expected: Works!

  7. Create Complaint

    • Visit: /px-sources/complaints/new/
    • Expected: Works!

Security Notes

  1. Middleware runs on EVERY request - Cannot be bypassed
  2. No error messages - Silent redirect for better UX
  3. Whitelist approach - Only explicitly allowed URLs work
  4. Superusers excluded - Superusers bypass all restrictions
  5. Static files allowed - Required for CSS/JS to work

Files Modified

  1. apps/px_sources/middleware.py - Updated SourceUserRestrictionMiddleware
  2. config/settings/base.py - Added middleware to MIDDLEWARE list
  3. apps/dashboard/views.py - Added redirects in views
  4. apps/core/decorators.py - Updated @block_source_user decorator

Last Updated: 2026-02-25