We are going to implement organisation-specific permissions into npda. It probably can't be done with a PermissionRequiredMixin because these apply to a whole view - whereas we want to add an extra layer of permissions for those who CAN access the view. Something like this:
Can the user access the view? (use PermissionRequiredMixin)
Can the user access the organisation/PDU data?
What we were thinking was that for each request that goes out, we cross check the PDU/ODS that is being requested with the PDU/ODS that is assigned to the user (or if they are superuser / rcpch audit team member) and if they match, return the list, else 403.
[ discussion with @anchit-chandran ]
We are going to implement organisation-specific permissions into npda. It probably can't be done with a
PermissionRequiredMixin
because these apply to a whole view - whereas we want to add an extra layer of permissions for those who CAN access the view. Something like this:What we were thinking was that for each request that goes out, we cross check the PDU/ODS that is being requested with the PDU/ODS that is assigned to the user (or if they are superuser / rcpch audit team member) and if they match, return the list, else 403.