marwan/HH
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
HH/apps/accounts/permissions.py
Marwan Alwali 2e15c5db7c first commit
2025-12-24 12:42:31 +03:00

174 lines
5.5 KiB
Python
Raw Blame History

"""
Accounts permissions - RBAC permission classes
"""
from rest_framework import permissions
class IsPXAdmin(permissions.BasePermission):
"""
Permission class to check if user is PX Admin.
PX Admins have full system access.
"""
message = "You must be a PX Admin to perform this action."
def has_permission(self, request, view):
return request.user and request.user.is_authenticated and request.user.is_px_admin()
class IsHospitalAdmin(permissions.BasePermission):
"""
Permission class to check if user is Hospital Admin.
Hospital Admins have access to their hospital's data.
"""
message = "You must be a Hospital Admin to perform this action."
def has_permission(self, request, view):
return request.user and request.user.is_authenticated and request.user.is_hospital_admin()
class IsDepartmentManager(permissions.BasePermission):
"""
Permission class to check if user is Department Manager.
Department Managers have access to their department's data.
"""
message = "You must be a Department Manager to perform this action."
def has_permission(self, request, view):
return request.user and request.user.is_authenticated and request.user.is_department_manager()
class IsPXAdminOrHospitalAdmin(permissions.BasePermission):
"""
Permission class for PX Admin or Hospital Admin.
"""
message = "You must be a PX Admin or Hospital Admin to perform this action."
def has_permission(self, request, view):
if not (request.user and request.user.is_authenticated):
return False
return request.user.is_px_admin() or request.user.is_hospital_admin()
class IsPXAdminOrReadOnly(permissions.BasePermission):
"""
Permission class that allows PX Admins full access,
but only read access for others.
"""
def has_permission(self, request, view):
if not (request.user and request.user.is_authenticated):
return False
# Read permissions for any authenticated user
if request.method in permissions.SAFE_METHODS:
return True
# Write permissions only for PX Admins
return request.user.is_px_admin()
class IsOwnerOrPXAdmin(permissions.BasePermission):
"""
Permission class that allows users to access their own data,
or PX Admins to access any data.
"""
def has_object_permission(self, request, view, obj):
if not (request.user and request.user.is_authenticated):
return False
# PX Admins can access anything
if request.user.is_px_admin():
return True
# Users can access their own data
if hasattr(obj, 'user'):
return obj.user == request.user
return obj == request.user
class HasRolePermission(permissions.BasePermission):
"""
Permission class that checks if user has specific role.
Usage: Set required_roles on the view.
"""
def has_permission(self, request, view):
if not (request.user and request.user.is_authenticated):
return False
required_roles = getattr(view, 'required_roles', [])
if not required_roles:
return True
user_roles = request.user.get_role_names()
return any(role in user_roles for role in required_roles)
class CanAccessHospitalData(permissions.BasePermission):
"""
Permission class that checks if user can access hospital data.
- PX Admins can access all hospitals
- Hospital Admins can access their own hospital
- Department Managers can access their hospital
"""
def has_object_permission(self, request, view, obj):
if not (request.user and request.user.is_authenticated):
return False
# PX Admins can access all
if request.user.is_px_admin():
return True
# Get hospital from object
hospital = None
if hasattr(obj, 'hospital'):
hospital = obj.hospital
elif obj.__class__.__name__ == 'Hospital':
hospital = obj
if not hospital:
return False
# Check if user belongs to this hospital
return request.user.hospital == hospital
class CanAccessDepartmentData(permissions.BasePermission):
"""
Permission class that checks if user can access department data.
- PX Admins can access all departments
- Hospital Admins can access departments in their hospital
- Department Managers can access their own department
"""
def has_object_permission(self, request, view, obj):
if not (request.user and request.user.is_authenticated):
return False
# PX Admins can access all
if request.user.is_px_admin():
return True
# Get department from object
department = None
if hasattr(obj, 'department'):
department = obj.department
elif obj.__class__.__name__ == 'Department':
department = obj
if not department:
return False
# Hospital Admins can access departments in their hospital
if request.user.is_hospital_admin() and request.user.hospital == department.hospital:
return True
# Department Managers can access their own department
if request.user.is_department_manager() and request.user.department == department:
return True
return False
Reference in New Issue View Git Blame Copy Permalink