Location/ Bed Management issue ( District Lab Admin Account)

[Sunilsubba]

----Describe the bug----
Error Message coming up "You don't have permission to perform this action" but still allowed to create and manage beds using district lab admin account

----Steps to reproduce----
1- Log in using provided credential
2- Click on https://care.coronasafe.in/facility/42d0dbbd-e3e1-4d64-88ff-f606b90975b0/location

3- Click on "manage beds" from any existing location
4- add new bed

----Login Credentials----
Username: district_lab123
Password: Lilo@123

----Screenshots----

[SamakshAgarwal1112]

Working on it!

[github-actions]

Hi, @gigincg, @nihal467, @khavinshankar, @mathew-alex, @aparnacoronasafe, This issue has been automatically marked as stale because it has not had any recent activity.

[rithviknishad]

Hey @SamakshAgarwal1112 any updates on this?

[shramanpaul]

Hello @rithviknishad, could you please assign me this issue? I'm eager to work on it.

[rithviknishad]

Hey @shramanpaul

Feel free to make a PR on this once the changes requested for #7200 is completed

[balaji-sivasakthi]

@rithviknishad Could you explain to me why this issue is throwing a 403 error?

GET /api/v1/facility/42d0dbbd-e3e1-4d64-88ff-f606b90975b0/asset_location/6ee4cae3-f9e3-40d4-9b47-337ac8052f76/
HTTP 403 Forbidden
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "detail": "Authentication credentials were not provided."
}

[rithviknishad]

Have you set the Authorization headers when making the request?

[balaji-sivasakthi]

Have you set the Authorization headers when making the request?

I'm not sure, this is the stuff I cached from the browser.

[AnkurPrabhu]

@rithviknishad @balaji-sivasakthi i tried using the same front-end on my local backend it does not show this error. do we have some sort of waf or any firewall this passes through that could be the issue here pls correct me if i am wrong, also this does not exist in https://care.ohc.network/

[varshith257]

@rithviknishad I would like to work on this. Can you assign me this issue?

[hrit2773]

@balaji-sivasakthi that 403 error is because there is no authentication details. I tried to find the method associated with the url in the care backend repo but I'm unable to find it

[balaji-sivasakthi]

Has anyone checked with a different account? I believe the account listed below may be broken in terms of roles.

Username: district_lab123
Password: Lilo@123

[r-nikhilkumar]

please assign this issues to me, I want to contribute here

[Shahbaz898414]

@rithviknishad I would like to work on this. Can you assign me this issue?

[AnkurPrabhu]

Has anyone checked with a different account? I believe the account listed below may be broken in terms of roles.

Username: district_lab123
Password: Lilo@123

i tried on my local using devdistrict admin, staff and doc everything works fine, i feel like this is some sort of configuration or firewall setting for some apis
or this could be some specific permission is not giving to the user account from django admin can anyone check the user type ?

[rithviknishad]

Have you tried creating a district lab admin user type user and tried replicating the issue with that user?

[AnkurPrabhu]

Yes I did
What I did for this is
Went to django users table edited type to district level admin and then tried it was working fine for me
Let me know my steps to replicate are correct or have I missed something

[rithviknishad]

"District Lab Admin" is the user type. Not "District Admin"

Also, I'm able to replicate this issue.

To replicate this, you'll need to go directly to the URL instead of navigating to the location page through Care.

There seems to be multiple permission issues:

1. A district lab admin user seems to be able to see "facilities" that this user does not have access to. (Although when I click on a facility it gives 404 Not Found)
2. If I directly go to the location management page of such inaccessible facilities, I'm able to list the locations of such facilities. This shouldn't be permitted.
3. Now this user can read and write beds of those locations of inaccessible facilities too, which also shouldn't be permitted.

cc: @sainak

[sainak]

"District Lab Admin" is the user type. Not "District Admin"

Also, I'm able to replicate this issue.

To replicate this, you'll need to go directly to the URL instead of navigating to the location page through Care.

There seems to be multiple permission issues:

1. A district lab admin user seems to be able to see "facilities" that this user does not have access to. (Although when I click on a facility it gives 404 Not Found)
2. If I directly go to the location management page of such inaccessible facilities, I'm able to list the locations of such facilities. This shouldn't be permitted.
3. Now this user can read and write beds of those locations of inaccessible facilities too, which also shouldn't be permitted.

cc: @sainak

Yes @rithviknishad this is a permission issue, it needs to be restricted on the backend

[AnkurPrabhu]

can you assign this to me ? @rithviknishad @sainak

[AnkurPrabhu]

1. A district lab admin user seems to be able to see "facilities" that this user does not have access to. (Although when I click on a facility it gives 404 Not Found)

@rithviknishad can you pls explain what do you mean by this as on what basis do we need to validate if user has access to these facilities ?

[rithviknishad]

Refer Facility Permissions here: https://github.com/coronasafe/care/blob/master/care/facility/api/viewsets/facility.py#L50-L61

[Thanush19]

if the issue is not resolved , i can work on this @rithviknishad

[AnkurPrabhu]

i am working on it @Thanush19

[AnkurPrabhu]

lets close this issue @rithviknishad