fix permissions

exception was not caught and there was an old assumption in the test that staff is the only one who can see the hospitals and patients but that is not true anymore as discussed with Mark
swiftss-org · Mar 29, 2024 · 6ad315f · 6ad315f
1 parent 53e8f77
commit 6ad315f
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/tmh_registry/registry/tests/api/viewsets/test_hospitals.py b/tmh_registry/registry/tests/api/viewsets/test_hospitals.py
@@ -53,7 +53,7 @@ def test_get_hospitals_list_from_non_admin_user(self):
         self.client.credentials(HTTP_AUTHORIZATION="Token " + self.token.key)
         response = self.client.get("/api/v1/hospitals/", format="json")
 
-        self.assertEqual(HTTP_403_FORBIDDEN, response.status_code)
+        self.assertEqual(HTTP_200_OK, response.status_code)
 
     def test_get_hospitals_list_from_non_medical_personnel_user(self):
         self.non_mp_user = UserFactory()
@@ -95,7 +95,7 @@ def test_get_hospitals_detail_from_non_admin_user(self):
             f"/api/v1/hospitals/{self.hospital.id}/", format="json"
         )
 
-        self.assertEqual(HTTP_403_FORBIDDEN, response.status_code)
+        self.assertEqual(HTTP_200_OK, response.status_code)
 
     def test_get_hospitals_detail_from_non_medical_personnel_user(self):
         self.non_mp_user = UserFactory()

diff --git a/tmh_registry/registry/tests/api/viewsets/test_patients.py b/tmh_registry/registry/tests/api/viewsets/test_patients.py
@@ -190,7 +190,7 @@ def test_get_patients_list_from_non_admin_user(self):
         client.credentials(HTTP_AUTHORIZATION="Token " + non_admin_token.key)
         response = client.get("/api/v1/patients/", format="json")
 
-        self.assertEqual(HTTP_403_FORBIDDEN, response.status_code)
+        self.assertEqual(HTTP_200_OK, response.status_code)
 
     def test_get_patients_list_from_non_medical_personnel_user(self):
         non_mp_user = UserFactory()
@@ -256,7 +256,7 @@ def test_get_patients_detail_from_non_admin_user(self):
             f"/api/v1/patients/{self.patient.id}/", format="json"
         )
 
-        self.assertEqual(HTTP_403_FORBIDDEN, response.status_code)
+        self.assertEqual(HTTP_200_OK, response.status_code)
 
     def test_get_patients_detail_from_non_medical_personnel_user(self):
         non_mp_user = UserFactory()

diff --git a/tmh_registry/users/api/permissions.py b/tmh_registry/users/api/permissions.py
@@ -10,8 +10,10 @@ class IsMedicalPersonnel(permissions.BasePermission):
 
     def has_permission(self, request, view):
         try:
-            return request.user.medical_personnel.user.is_staff
+            request.user.medical_personnel
         except MedicalPersonnel.DoesNotExist:
             return False
         except builtins.Exception:
             return False
+
+        return True