HH/apps/complaints/permissions.py

"""
Complaints permissions - Control who can create and manage complaints/inquiries
"""
from rest_framework import permissions


class CanCreateComplaint(permissions.BasePermission):
    """
    Permission to check if user can create complaints.
    
    Source Users need explicit permission.
    Patients can create their own complaints.
    PX Admins and Hospital Admins can create.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
        # PX Admins can create
        if request.user.is_px_admin():
            return True
        
        # Hospital Admins can create
        if request.user.is_hospital_admin():
            return True
        
        # Source Users need explicit permission
        if hasattr(request.user, 'source_user_profile'):
            source_user = request.user.source_user_profile.first()
            if source_user and source_user.is_active and source_user.can_create_complaints:
                return True
            return False
        
        # Patients can create (assuming they have user accounts)
        # For public forms without auth, use IsAuthenticatedOrReadOnly
        return True


class CanCreateInquiry(permissions.BasePermission):
    """
    Permission to check if user can create inquiries.
    
    Source Users need explicit permission.
    Patients can create their own inquiries.
    PX Admins and Hospital Admins can create.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
        # PX Admins can create
        if request.user.is_px_admin():
            return True
        
        # Hospital Admins can create
        if request.user.is_hospital_admin():
            return True
        
        # Source Users need explicit permission
        if hasattr(request.user, 'source_user_profile'):
            source_user = request.user.source_user_profile.first()
            if source_user and source_user.is_active and source_user.can_create_inquiries:
                return True
            return False
        
        # Patients can create (assuming they have user accounts)
        return True


class CanAccessOwnData(permissions.BasePermission):
    """
    Permission to check if user can access their own data.
    
    Source Users can only access complaints/inquiries they created.
    Patients can only access their own complaints/inquiries.
    PX Admins can access all data.
    """
    def has_object_permission(self, request, view, obj):
        # PX Admins can access everything
        if request.user.is_px_admin():
            return True
        
        # Source Users can only access their own created data
        if hasattr(request.user, 'source_user_profile'):
            if request.user.source_user_profile.exists():
                return getattr(obj, 'created_by', None) == request.user
        
        # Patients can only access their own data
        if hasattr(obj, 'patient'):
            if hasattr(obj.patient, 'user'):
                return obj.patient.user == request.user
        
        # Default: deny
        return False