172 lines
5.3 KiB
Python
172 lines
5.3 KiB
Python
"""
|
|
Custom permission classes for role-based access control.
|
|
"""
|
|
|
|
from rest_framework import permissions
|
|
|
|
|
|
class IsAdmin(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is an admin.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role == 'ADMIN'
|
|
|
|
|
|
class IsDoctor(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is a doctor.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role == 'DOCTOR'
|
|
|
|
|
|
class IsNurse(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is a nurse.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role == 'NURSE'
|
|
|
|
|
|
class IsABATherapist(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is an ABA therapist.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role == 'ABA'
|
|
|
|
|
|
class IsOTTherapist(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is an OT therapist.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role == 'OT'
|
|
|
|
|
|
class IsSLPTherapist(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is an SLP therapist.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role == 'SLP'
|
|
|
|
|
|
class IsFrontDesk(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is front desk staff.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role == 'FRONT_DESK'
|
|
|
|
|
|
class IsFinance(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is finance staff.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role == 'FINANCE'
|
|
|
|
|
|
class IsClinicalStaff(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user is clinical staff (Doctor, Nurse, or Therapist).
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
clinical_roles = ['DOCTOR', 'NURSE', 'ABA', 'OT', 'SLP']
|
|
return request.user and request.user.is_authenticated and request.user.role in clinical_roles
|
|
|
|
|
|
class IsAdminOrReadOnly(permissions.BasePermission):
|
|
"""
|
|
Permission class to allow read-only access to all, but write access only to admins.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return request.user and request.user.is_authenticated
|
|
return request.user and request.user.is_authenticated and request.user.role == 'ADMIN'
|
|
|
|
|
|
class CanAccessPatient(permissions.BasePermission):
|
|
"""
|
|
Permission class to check if user can access a specific patient.
|
|
Checks tenant ownership.
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
# Check if user's tenant matches patient's tenant
|
|
return obj.tenant == request.user.tenant
|
|
|
|
|
|
class CanManageFinance(permissions.BasePermission):
|
|
"""
|
|
Permission class for finance operations.
|
|
Only admin and finance staff can manage finances.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
return request.user and request.user.is_authenticated and request.user.role in ['ADMIN', 'FINANCE']
|
|
|
|
|
|
class CanBookAppointment(permissions.BasePermission):
|
|
"""
|
|
Permission class for booking appointments.
|
|
Front desk, clinical staff, and admins can book appointments.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
allowed_roles = ['ADMIN', 'FRONT_DESK', 'DOCTOR', 'NURSE', 'ABA', 'OT', 'SLP']
|
|
return request.user and request.user.is_authenticated and request.user.role in allowed_roles
|
|
|
|
|
|
class CanManageReferrals(permissions.BasePermission):
|
|
"""
|
|
Permission class for managing referrals.
|
|
Clinical staff and admins can manage referrals.
|
|
"""
|
|
|
|
def has_permission(self, request, view):
|
|
clinical_roles = ['ADMIN', 'DOCTOR', 'NURSE', 'ABA', 'OT', 'SLP']
|
|
return request.user and request.user.is_authenticated and request.user.role in clinical_roles
|
|
|
|
|
|
class IsOwnerOrReadOnly(permissions.BasePermission):
|
|
"""
|
|
Permission class to allow owners to edit, others to read only.
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
# Read permissions are allowed to any authenticated user
|
|
if request.method in permissions.SAFE_METHODS:
|
|
return True
|
|
|
|
# Write permissions are only allowed to the owner
|
|
if hasattr(obj, 'created_by'):
|
|
return obj.created_by == request.user
|
|
if hasattr(obj, 'user'):
|
|
return obj.user == request.user
|
|
|
|
return False
|
|
|
|
|
|
class IsSameTenant(permissions.BasePermission):
|
|
"""
|
|
Permission class to ensure user can only access data from their tenant.
|
|
"""
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
if hasattr(obj, 'tenant'):
|
|
return obj.tenant == request.user.tenant
|
|
return True
|