feat: limit users based on allotted facilities

savannahghi · Sep 17, 2021 · f460ca0 · f460ca0
1 parent 5aa4901
commit f460ca0
Show file tree

Hide file tree

Showing 12 changed files with 222 additions and 134 deletions.
diff --git a/config/settings/base.py b/config/settings/base.py
@@ -292,6 +292,7 @@
         "django_filters.rest_framework.DjangoFilterBackend",
         "rest_framework.filters.OrderingFilter",
         "fahari.common.filters.OrganisationFilterBackend",
+        "fahari.common.filters.AllottedFacilitiesFilterBackend",
     ),
     "DEFAULT_PAGINATION_CLASS": (
         "rest_framework_datatables.pagination.DatatablesPageNumberPagination"

diff --git a/fahari/common/filters.py b/fahari/common/filters.py
@@ -65,6 +65,25 @@ def filter_queryset(self, request, queryset, view):
         return queryset.filter(organisation=request.user.organisation)
 
 
+class AllottedFacilitiesFilterBackend(filters.BaseFilterBackend):
+    """Users are only allowed to view records relating to facilities they have been allotted to.
+
+    For this to work, the attribute `facility_field_lookup` must be present on a view. The
+    attribute should contain a lookup to a facility and should be usable from the queryset
+    returned by the view. If the aforementioned attribute is not present on a view, then no
+    filtering is performed and the queryset is returned as is.
+    """
+
+    def filter_queryset(self, request, queryset, view):
+        """Filter records to"""
+        lookup = getattr(view, "facility_field_lookup", None)
+        if not lookup:
+            return queryset
+        allotted_facilities = UserFacilityAllotment.get_facilities_for_user(request.user)
+        qs_filter = {"%s__in" % lookup: allotted_facilities}
+        return queryset.filter(**qs_filter)
+
+
 class FacilityFilter(CommonFieldsFilterset):
     """Filter facilities."""
 

diff --git a/fahari/common/forms/__init__.py b/fahari/common/forms/__init__.py
@@ -7,12 +7,16 @@
     SystemForm,
     UserFacilityAllotmentForm,
 )
+from .mixins import FormContextMixin, GetAllottedFacilitiesMixin, GetUserFromContextMixin
 
 __all__ = [
     "BaseModelForm",
     "FacilityAttachmentForm",
     "FacilityForm",
     "FacilityUserForm",
+    "FormContextMixin",
+    "GetAllottedFacilitiesMixin",
+    "GetUserFromContextMixin",
     "OrganisationForm",
     "SystemForm",
     "UserFacilityAllotmentForm",

diff --git a/fahari/common/forms/base_forms.py b/fahari/common/forms/base_forms.py
@@ -5,7 +5,7 @@
 from .mixins import FormContextMixin
 
 
-class BaseModelForm(ModelForm, FormContextMixin):
+class BaseModelForm(FormContextMixin, ModelForm):
     """Base form for the majority of model forms in the project."""
 
     def __init__(self, *args, **kwargs):

diff --git a/fahari/common/forms/mixins.py b/fahari/common/forms/mixins.py
@@ -1,14 +1,53 @@
-from typing import Any, Dict
+from typing import Any, Dict, Optional, Union
 
-from django.forms import Form
+from django.contrib.auth import get_user_model
+from django.db.models import Model
+from django.forms import ModelForm
 
+from ..models import Facility, UserFacilityAllotment
+from ..models.common_models import FacilityManager, FacilityQuerySet
 
-class FormContextMixin(Form):
-    def __init__(self, context: Dict[str, Any] = None, *args, **kwargs):
+User = get_user_model()
+
+
+class FormContextMixin(ModelForm):
+    """Add context to a form."""
+
+    def __init__(self, *args, **kwargs):
+        self._context: Dict[str, Any] = kwargs.pop("context", {})
         super().__init__(*args, **kwargs)
-        self._context: Dict[str, Any] = context or {}
 
     @property
-    def context(self):
+    def context(self) -> Dict[str, Any]:
         """Return the context as passed on the form during initialization."""
+
         return self._context
+
+
+class GetUserFromContextMixin(FormContextMixin):
+    """Add a method to retrieve the logged in user from a form's context."""
+
+    def get_logged_in_user(self) -> Optional[Model]:
+        """Determine and return the logged in user from the context."""
+
+        request = self.context.get("request", None)
+        user = getattr(request, "user", None) if request else None
+        return user
+
+
+class GetAllottedFacilitiesMixin(GetUserFromContextMixin):
+    """Add a method to retrieve the allotted facilities for the logged-in user.
+
+    The logged-in user is determined from a form's context data.
+    """
+
+    def get_allotted_facilities(self) -> Union[FacilityManager, FacilityQuerySet]:
+        """Return a queryset consisting of all the allotted facilities of the logged in user.
+
+        If the logged in user cannot be determined, then an empty queryset is returned instead.
+        """
+
+        user = self.get_logged_in_user()
+        if not user:
+            return Facility.objects.none()
+        return UserFacilityAllotment.get_facilities_for_user(user)
diff --git a/fahari/common/tests/test_api.py b/fahari/common/tests/test_api.py
@@ -76,6 +76,16 @@ def setUp(self):
         self.user.organisation = self.global_organisation
         self.user.save()
 
+        # Allot the given users to all the facilities in FYJ counties
+        self.user_facility_allotment = baker.make(
+            UserFacilityAllotment,
+            allotment_type=UserFacilityAllotment.AllotmentType.BY_REGION.value,
+            counties=WHITELIST_COUNTIES,
+            organisation=self.global_organisation,
+            region_type=UserFacilityAllotment.RegionType.COUNTY.value,
+            user=self.user,
+        )
+
         assert self.client.login(username=username, password="pass123") is True
 
         self.patch_organisation = partial(
@@ -610,10 +620,11 @@ def setUp(self):
         )
 
     def test_create(self):
+        user = baker.make(get_user_model(), organisation=self.global_organisation)
         data = {
             "allotment_type": self.by_facility.value,
             "facilities": map(lambda f: f.pk, self.facilities),
-            "user": self.user.pk,
+            "user": user.pk,
             "organisation": self.global_organisation.pk,
         }
         response = self.client.post(reverse("common:user_facility_allotment_create"), data=data)
@@ -623,21 +634,14 @@ def test_create(self):
         )
 
     def test_update(self):
-        instance: UserFacilityAllotment = baker.make(
-            UserFacilityAllotment,
-            allotment_type=self.by_facility.value,
-            facilities=self.facilities,
-            organisation=self.global_organisation,
-            user=self.user,
-        )
+        instance = self.user_facility_allotment
         data = {
             "pk": instance.pk,
-            "allotment_type": self.by_region.value,
-            "region_type": UserFacilityAllotment.RegionType.COUNTY.value,
-            "counties": ["Nairobi"],
+            "allotment_type": self.by_facility.value,
+            "facilities": map(lambda f: f.pk, self.facilities),
             "user": self.user.pk,
             "organisation": self.global_organisation.pk,
-            "active": True,
+            "active": False,
         }
         response = self.client.post(
             reverse("common:user_facility_allotment_update", kwargs={"pk": instance.pk}), data=data
@@ -648,12 +652,13 @@ def test_update(self):
         )
 
     def test_delete(self):
+        user = baker.make(get_user_model(), organisation=self.global_organisation)
         instance: UserFacilityAllotment = baker.make(
             UserFacilityAllotment,
             allotment_type=self.by_facility.value,
             facilities=self.facilities,
             organisation=self.global_organisation,
-            user=self.user,
+            user=user,
         )
         response = self.client.post(
             reverse("common:user_facility_allotment_delete", kwargs={"pk": instance.pk}),

diff --git a/fahari/common/views/__init__.py b/fahari/common/views/__init__.py
@@ -23,7 +23,7 @@
     UserFacilityAllotmentView,
     UserFacilityViewSet,
 )
-from .mixins import ApprovedMixin, BaseFormMixin, GetKwargsMixin
+from .mixins import ApprovedMixin, BaseFormMixin, FormContextMixin
 
 __all__ = [
     "AboutView",
@@ -40,7 +40,7 @@
     "FacilityUserViewSet",
     "FacilityView",
     "FacilityViewSet",
-    "GetKwargsMixin",
+    "FormContextMixin",
     "HomeView",
     "SystemCreateView",
     "SystemDeleteView",

diff --git a/fahari/common/views/common_views.py b/fahari/common/views/common_views.py
@@ -92,6 +92,7 @@ class FacilityViewSet(BaseView):
         "mfl_code",
         "registration_number",
     )
+    facility_field_lookup = "pk"
 
 
 class SystemContextMixin:

diff --git a/fahari/common/views/mixins.py b/fahari/common/views/mixins.py
@@ -1,3 +1,5 @@
+from typing import Any, Dict
+
 from django.contrib.auth import get_user_model
 from django.contrib.auth.mixins import (
     LoginRequiredMixin,
@@ -37,8 +39,22 @@ def form_valid(self, form):
         return super().form_valid(form)
 
 
-class GetKwargsMixin(ModelFormMixin, LoginRequiredMixin, View):
-    def get_form_kwargs(self):
+class FormContextMixin(ModelFormMixin, LoginRequiredMixin, View):
+    """Mixin to inject context data into a form."""
+
+    def get_form_context(self) -> Dict[str, Any]:
+        """Return the data to be used as a form's context."""
+
+        return {
+            "view": self,
+            "args": getattr(self, "args", ()),
+            "kwargs": getattr(self, "kwargs", {}),
+            "request": getattr(self, "request", None),
+        }
+
+    def get_form_kwargs(self) -> Dict[str, Any]:
+        """Extend the base implementation to add context data on the returned form kwargs."""
+
         kwargs = super().get_form_kwargs()
-        kwargs["request"] = self.request
+        kwargs["context"] = self.get_form_context()
         return kwargs