Abi | add. privilege checks for endpoints (#54)

api/src/main/resources/liquibase.xml

@@ -467,5 +467,64 @@
             '2024-04-11 19:00:00', 'MM/dd/yyyy HH:mm:ss', 86400, true, 1, NOW(), UUID());
         </sql>
     </changeSet>
-
+    <changeSet id="ipd-edit-medication-tasks" author="Bahmni">
+        <preConditions onFail="MARK_RAN">
+            <sqlCheck expectedResult="0">select count(*) from privilege where privilege = 'Edit Medication Tasks'</sqlCheck>
+        </preConditions>
+        <insert tableName="privilege">
+            <column name="privilege" value="Edit Medication Tasks"/>
+            <column name="description" value="Edit Medication Tasks description"/>
+            <column name="uuid" valueComputed="uuid()"/>
+        </insert>
+    </changeSet>
+    <changeSet id="ipd-delete-medication-tasks" author="Bahmni">
+        <preConditions onFail="MARK_RAN">
+            <sqlCheck expectedResult="0">select count(*) from privilege where privilege = 'Delete Medication Tasks'</sqlCheck>
+        </preConditions>
+        <insert tableName="privilege">
+            <column name="privilege" value="Delete Medication Tasks"/>
+            <column name="description" value="Delete Medication Tasks description"/>
+            <column name="uuid" valueComputed="uuid()"/>
+        </insert>
+    </changeSet>
+    <changeSet id="ipd-edit-adhoc-medication-tasks" author="Bahmni">
+        <preConditions onFail="MARK_RAN">
+            <sqlCheck expectedResult="0">select count(*) from privilege where privilege = 'Edit adhoc medication tasks'</sqlCheck>
+        </preConditions>
+        <insert tableName="privilege">
+            <column name="privilege" value="Edit adhoc medication tasks"/>
+            <column name="description" value="Edit adhoc medication tasks description"/>
+            <column name="uuid" valueComputed="uuid()"/>
+        </insert>
+    </changeSet>
+    <changeSet id="ipd-edit-medication-administration-tasks" author="Bahmni">
+        <preConditions onFail="MARK_RAN">
+            <sqlCheck expectedResult="0">select count(*) from privilege where privilege = 'Edit Medication Administration'</sqlCheck>
+        </preConditions>
+        <insert tableName="privilege">
+            <column name="privilege" value="Edit Medication Administration"/>
+            <column name="description" value="Edit Medication Administration description"/>
+            <column name="uuid" valueComputed="uuid()"/>
+        </insert>
+    </changeSet>
+    <changeSet id="ipd-get-medication-administration" author="Bahmni">
+        <preConditions onFail="MARK_RAN">
+            <sqlCheck expectedResult="0">select count(*) from privilege where privilege = 'Get Medication Administration'</sqlCheck>
+        </preConditions>
+        <insert tableName="privilege">
+            <column name="privilege" value="Get Medication Administration"/>
+            <column name="description" value="Get Medication Administration description"/>
+            <column name="uuid" valueComputed="uuid()"/>
+        </insert>
+    </changeSet>
+    <changeSet id="ipd-get-medication-tasks" author="Bahmni">
+        <preConditions onFail="MARK_RAN">
+            <sqlCheck expectedResult="0">select count(*) from privilege where privilege = 'Get Medication Tasks'</sqlCheck>
+        </preConditions>
+        <insert tableName="privilege">
+            <column name="privilege" value="Get Medication Tasks"/>
+            <column name="description" value="Get Medication Tasks description"/>
+            <column name="uuid" valueComputed="uuid()"/>
+        </insert>
+    </changeSet>
 </databaseChangeLog>

omod/src/main/java/org/openmrs/module/ipd/controller/IPDMedicationAdministrationController.java

@@ -2,12 +2,14 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.hl7.fhir.r4.model.MedicationAdministration;
+import org.openmrs.api.context.Context;
 import org.openmrs.module.fhir2.apiext.dao.FhirMedicationAdministrationDao;
 import org.openmrs.module.ipd.api.service.SlotService;
 import org.openmrs.module.ipd.contract.MedicationAdministrationRequest;
 import org.openmrs.module.ipd.contract.MedicationAdministrationResponse;
 import org.openmrs.module.ipd.factory.MedicationAdministrationFactory;
 import org.openmrs.module.ipd.service.IPDMedicationAdministrationService;
+import org.openmrs.module.ipd.util.PrivilegeConstants;
 import org.openmrs.module.webservices.rest.web.RestConstants;
 import org.openmrs.module.webservices.rest.web.RestUtil;
 import org.openmrs.module.webservices.rest.web.v1_0.controller.BaseRestController;
@@ -19,8 +21,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import static org.springframework.http.HttpStatus.BAD_REQUEST;
-import static org.springframework.http.HttpStatus.OK;
+import static org.springframework.http.HttpStatus.*;
 
 @Controller
 @RequestMapping(value = "/rest/" + RestConstants.VERSION_1 + "/ipd")
@@ -43,6 +44,9 @@ public IPDMedicationAdministrationController(IPDMedicationAdministrationService
     @ResponseBody
     public ResponseEntity<Object> createScheduledMedicationAdministration(@RequestBody List<MedicationAdministrationRequest> medicationAdministrationRequestList) {
         try {
+            if (!Context.getUserContext().hasPrivilege(PrivilegeConstants.EDIT_MEDICATION_ADMINISTRATION)) {
+                return new ResponseEntity<>(RestUtil.wrapErrorResponse(new Exception(), "User doesn't have the following privilege " + PrivilegeConstants.EDIT_MEDICATION_ADMINISTRATION), FORBIDDEN);
+            }
             List<MedicationAdministrationResponse> medicationAdministrationResponseList = new ArrayList<>();
             for (MedicationAdministrationRequest medicationAdministrationRequest : medicationAdministrationRequestList) {
                 MedicationAdministration medicationAdministration = ipdMedicationAdministrationService.saveScheduledMedicationAdministration(medicationAdministrationRequest);
@@ -59,6 +63,9 @@ public ResponseEntity<Object> createScheduledMedicationAdministration(@RequestBo
     @ResponseBody
     public ResponseEntity<Object> createAdhocMedicationAdministration(@RequestBody MedicationAdministrationRequest medicationAdministrationRequest) {
         try {
+            if (!Context.getUserContext().hasPrivilege(PrivilegeConstants.EDIT_ADHOC_MEDICATION_TASKS) || !Context.getUserContext().hasPrivilege(PrivilegeConstants.EDIT_MEDICATION_ADMINISTRATION)) {
+                return new ResponseEntity<>(RestUtil.wrapErrorResponse(new Exception(), "User doesn't have the following privilege(s) " + PrivilegeConstants.EDIT_MEDICATION_TASKS + ", "+PrivilegeConstants.EDIT_MEDICATION_ADMINISTRATION), FORBIDDEN);
+            }
             MedicationAdministration medicationAdministration = ipdMedicationAdministrationService.saveAdhocMedicationAdministration(medicationAdministrationRequest);
             MedicationAdministrationResponse medicationAdministrationResponse = medicationAdministrationFactory.mapMedicationAdministrationToResponse(medicationAdministration);
             return new ResponseEntity<>(medicationAdministrationResponse, OK);

omod/src/main/java/org/openmrs/module/ipd/controller/IPDScheduleController.java

@@ -2,10 +2,12 @@
 
 import com.google.common.collect.Lists;
 import lombok.extern.slf4j.Slf4j;
+import org.bahmni.module.bahmnicore.util.WebUtils;
 import org.openmrs.Patient;
 import org.openmrs.Visit;
 import org.openmrs.api.PatientService;
 import org.openmrs.api.VisitService;
+import org.openmrs.api.context.Context;
 import org.openmrs.module.ipd.api.model.Schedule;
 import org.openmrs.module.ipd.api.model.ServiceType;
 import org.openmrs.module.ipd.api.model.Slot;
@@ -18,10 +20,12 @@
 import org.openmrs.module.ipd.contract.ScheduleMedicationResponse;
 import org.openmrs.module.ipd.model.PatientMedicationSummary;
 import org.openmrs.module.ipd.service.IPDScheduleService;
+import org.openmrs.module.ipd.util.PrivilegeConstants;
 import org.openmrs.module.webservices.rest.web.RestConstants;
 import org.openmrs.module.webservices.rest.web.RestUtil;
 import org.openmrs.module.webservices.rest.web.v1_0.controller.BaseRestController;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
@@ -36,6 +40,7 @@
 import static org.openmrs.module.ipd.contract.MedicationScheduleResponse.createFrom;
 import static org.springframework.http.HttpStatus.BAD_REQUEST;
 import static org.springframework.http.HttpStatus.OK;
+import static org.springframework.http.HttpStatus.FORBIDDEN;
 
 @Controller
 @RequestMapping(value = "/rest/" + RestConstants.VERSION_1 + "/ipd/schedule")
@@ -59,6 +64,9 @@ public IPDScheduleController(IPDScheduleService ipdScheduleService, VisitService
     @ResponseBody
     public ResponseEntity<Object> createMedicationSchedule(@RequestBody ScheduleMedicationRequest scheduleMedicationRequest) {
         try {
+            if (!Context.getUserContext().hasPrivilege(PrivilegeConstants.EDIT_MEDICATION_TASKS)) {
+                return new ResponseEntity<>(RestUtil.wrapErrorResponse(new Exception(), "User doesn't have the following privilege " + PrivilegeConstants.EDIT_MEDICATION_TASKS), FORBIDDEN);
+            }
             Schedule schedule = ipdScheduleService.saveMedicationSchedule(scheduleMedicationRequest);
             return new ResponseEntity<>(ScheduleMedicationResponse.constructFrom(schedule), OK);
         } catch (Exception e) {
@@ -71,6 +79,9 @@ public ResponseEntity<Object> createMedicationSchedule(@RequestBody ScheduleMedi
     @ResponseBody
     public ResponseEntity<Object> updateMedicationSchedule(@RequestBody ScheduleMedicationRequest scheduleMedicationRequest) {
         try {
+            if (!Context.getUserContext().hasPrivilege(PrivilegeConstants.EDIT_MEDICATION_TASKS)) {
+                return new ResponseEntity<>(RestUtil.wrapErrorResponse(new Exception(), "User doesn't have the following privilege " + PrivilegeConstants.EDIT_MEDICATION_TASKS), FORBIDDEN);
+            }
             Schedule schedule = ipdScheduleService.updateMedicationSchedule(scheduleMedicationRequest);
             return new ResponseEntity<>(ScheduleMedicationResponse.constructFrom(schedule), OK);
         } catch (Exception e) {
@@ -86,6 +97,9 @@ public ResponseEntity<Object> getMedicationSlotsByDate(@RequestParam(value = "pa
                                                            @RequestParam(value = "visitUuid",required = false) String visitUuid,
                                                            @RequestParam(value = "view", required = false) String view) {
         try {
+            if (!Context.getUserContext().hasPrivilege(PrivilegeConstants.GET_MEDICATION_ADMINISTRATION) || !Context.getUserContext().hasPrivilege(PrivilegeConstants.GET_MEDICATION_TASKS)) {
+                return new ResponseEntity<>(RestUtil.wrapErrorResponse(new Exception(), "User doesn't have the following privilege(s) " + PrivilegeConstants.EDIT_MEDICATION_TASKS+", "+PrivilegeConstants.GET_MEDICATION_TASKS), FORBIDDEN);
+            }
 ;            if (startTime != null && endTime != null) {
                 LocalDateTime localStartDate = convertEpocUTCToLocalTimeZone(startTime);
                 LocalDateTime localEndDate = convertEpocUTCToLocalTimeZone(endTime);
@@ -108,6 +122,9 @@ public ResponseEntity<Object> getMedicationSlotsByOrderUuids(@RequestParam(value
                                                                  @RequestParam(value = "serviceType", required = false) ServiceType serviceType,
                                                                  @RequestParam(value = "orderUuids", required = false) List<String> orderUuids) {
         try {
+            if (!Context.getUserContext().hasPrivilege(PrivilegeConstants.GET_MEDICATION_ADMINISTRATION) || !Context.getUserContext().hasPrivilege(PrivilegeConstants.GET_MEDICATION_TASKS)) {
+                return new ResponseEntity<>(RestUtil.wrapErrorResponse(new Exception(), "User doesn't have the following privilege(s) " + PrivilegeConstants.EDIT_MEDICATION_TASKS+" "+PrivilegeConstants.GET_MEDICATION_TASKS), FORBIDDEN);
+            }
             List<Slot> slots;
             if (orderUuids == null || orderUuids.isEmpty()) {
                 slots =

omod/src/main/java/org/openmrs/module/ipd/controller/IPDVisitController.java

@@ -1,23 +1,30 @@
 package org.openmrs.module.ipd.controller;
 
 import lombok.extern.slf4j.Slf4j;
+import org.openmrs.api.context.Context;
 import org.openmrs.module.ipd.api.model.ServiceType;
 import org.openmrs.module.ipd.api.model.Slot;
 import org.openmrs.module.ipd.contract.IPDDrugOrderResponse;
 import org.openmrs.module.ipd.contract.IPDTreatmentsResponse;
 import org.openmrs.module.ipd.contract.MedicationAdministrationResponse;
 import org.openmrs.module.ipd.model.IPDDrugOrder;
 import org.openmrs.module.ipd.service.IPDVisitService;
+import org.openmrs.module.ipd.util.PrivilegeConstants;
 import org.openmrs.module.webservices.rest.web.RestConstants;
+import org.openmrs.module.webservices.rest.web.RestUtil;
 import org.openmrs.module.webservices.rest.web.v1_0.controller.BaseRestController;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 
 import java.text.ParseException;
 import java.util.*;
 import java.util.stream.Collectors;
 
+import static org.springframework.http.HttpStatus.FORBIDDEN;
+import static org.springframework.http.HttpStatus.OK;
+
 @Controller
 @RequestMapping(value = "/rest/" + RestConstants.VERSION_1 + "/ipdVisit/{visitUuid}")
 @Slf4j
@@ -32,17 +39,19 @@ public IPDVisitController(IPDVisitService ipdVisitService) {
 
     @RequestMapping(value = "/medication", method = RequestMethod.GET)
     @ResponseBody
-    public IPDTreatmentsResponse getVisitWiseMedications (
+    public ResponseEntity<Object> getVisitWiseMedications (
             @PathVariable("visitUuid") String visitUuid,
             @RequestParam(value = "includes", required = false) List<String> includes) throws ParseException {
-
-        List<IPDDrugOrder> prescribedOrders = ipdVisitService.getPrescribedOrders(visitUuid, true, null, null, null, false);
-        List<IPDDrugOrderResponse> prescribedOrderResponse = prescribedOrders.stream().map(IPDDrugOrderResponse::createFrom).collect(Collectors.toList());
-        List<MedicationAdministrationResponse> emergencyMedications = null;
-        if (includes != null && includes.contains("emergencyMedications")) {
-            List<Slot> emergencyMedicationSlots = ipdVisitService.getMedicationSlots(visitUuid, ServiceType.EMERGENCY_MEDICATION_REQUEST);
-            emergencyMedications = emergencyMedicationSlots.stream().map(slot -> MedicationAdministrationResponse.createFrom(slot.getMedicationAdministration())).collect(Collectors.toList());
-        }
-        return IPDTreatmentsResponse.createFrom(prescribedOrderResponse, emergencyMedications);
+            if (!Context.getUserContext().hasPrivilege(PrivilegeConstants.GET_MEDICATION_ADMINISTRATION) || !Context.getUserContext().hasPrivilege(PrivilegeConstants.GET_MEDICATION_TASKS)) {
+                return new ResponseEntity<>(RestUtil.wrapErrorResponse(new Exception(), "User doesn't have the following privilege(s) " + PrivilegeConstants.EDIT_MEDICATION_TASKS + ", " + PrivilegeConstants.GET_MEDICATION_TASKS), FORBIDDEN);
+            }
+            List<IPDDrugOrder> prescribedOrders = ipdVisitService.getPrescribedOrders(visitUuid, true, null, null, null, false);
+            List<IPDDrugOrderResponse> prescribedOrderResponse = prescribedOrders.stream().map(IPDDrugOrderResponse::createFrom).collect(Collectors.toList());
+            List<MedicationAdministrationResponse> emergencyMedications = null;
+            if (includes != null && includes.contains("emergencyMedications")) {
+                List<Slot> emergencyMedicationSlots = ipdVisitService.getMedicationSlots(visitUuid, ServiceType.EMERGENCY_MEDICATION_REQUEST);
+                emergencyMedications = emergencyMedicationSlots.stream().map(slot -> MedicationAdministrationResponse.createFrom(slot.getMedicationAdministration())).collect(Collectors.toList());
+            }
+            return new ResponseEntity(IPDTreatmentsResponse.createFrom(prescribedOrderResponse, emergencyMedications), OK);
     }
 }

omod/src/main/java/org/openmrs/module/ipd/util/PrivilegeConstants.java

@@ -0,0 +1,19 @@
+package org.openmrs.module.ipd.util;
+
+import org.openmrs.annotation.AddOnStartup;
+
+public class PrivilegeConstants {
+
+    @AddOnStartup(description = "Edit Medication Tasks description")
+    public static final String EDIT_MEDICATION_TASKS = "Edit Medication Tasks";
+    @AddOnStartup(description = "Delete Medication Tasks description")
+    public static final String DELETE_MEDICATION_TASKS = "Delete Medication Tasks";
+    @AddOnStartup(description = "Edit adhoc medication tasks description")
+    public static final String EDIT_ADHOC_MEDICATION_TASKS = "Edit adhoc medication tasks";
+    @AddOnStartup(description = "Edit Medication Administration description")
+    public static final String EDIT_MEDICATION_ADMINISTRATION = "Edit Medication Administration";
+    @AddOnStartup(description = "Get Medication Administration description")
+    public static final String GET_MEDICATION_ADMINISTRATION = "Get Medication Administration";
+    @AddOnStartup(description = "Get Medication Tasks description")
+    public static final String GET_MEDICATION_TASKS = "Get Medication Tasks";
+}