Open dc2007git opened 2 weeks ago
UPDATE
Reopening this issue even after 'fixing' it. In the permissions branch I have managed to adequately check for permissions for each user, and if this Clinician tries to delete a patient, they will face a 403 error (still to be properly handled but functionally permissions are working).
However, in the admin console, it is still showing the user of type Clinician that I created as having delete patient permission:
even though they are not assigned this permission in the code, and running request.user.has_perm('npda.delete_patient')
returns False
.
Very strange indeed. Does anyone have any idea what could be causing this behaviour?
I'm currently on assigning permissions to different groups based on these roles:
Permissions are then explicitly defined (in the new permissions branch) like so, for each group above:
After this step, the function
groups_seeder()
in create_groups.py checks if the groups have already been created. If they have, then permissions are assigned like so, by checking the group name:and then same code is ran after groups are newly created if they haven't already been.
Deleting all migrations and restarting the entire app logs the following to the terminal (focusing on the Clinician group):
IMPORTANT POINT - it is clear here that this group, called
trust_audit_team_edit_access
, aka the Clinician group, does NOT have delete_patient permissions. We can further test this by logging the current user's permissions (they are a Clinician I created) by accessing request.user.get_all_permissions():{'npda.change_visit', 'npda.add_visit', 'npda.change_patient', 'npda.view_visit', 'npda.view_patient', 'npda.can_opt_out_child_from_inclusion_in_audit', 'npda.can_unlock_child_patient_data_from_editing', 'npda.can_allocate_npda_lead_centre', 'npda.add_patient', 'npda.can_lock_child_patient_data_from_editing'} and is superuser status: False
So this user should not be able to delete patient, as evident from their permissions logged above. In the
PatientDeleteView
I have integrated thePermissionRequiredMixin
, and setpermission_required = 'npda.delete_patient'
. I expect this user to be returned to a PermissionDenied page at the moment - BUT they are in fact able to delete the user.And upon further inspection in the django admin page for this user (again of type Clinician), they have this group assigned (which is correct):
And the following permissions (which are wrong, note also reference to Epilepsy12 - we need to tidy the codebase from refs to epilepsy in general) - I could only take a screenshot of the small window:
But it seems like they have complete a complete set of CRUD permissions even though this is not what their permissions should be.
Will continue to work on this but logging here on github in case someone knows where else permissions could be set? My gut feeling is that somewhere in the code users are out of the box given all permissions by accident.