From 6ad315f5760c93bc140a484da06bdd710ccab922 Mon Sep 17 00:00:00 2001 From: Sabi Date: Fri, 29 Mar 2024 10:08:22 +0000 Subject: [PATCH] fix permissions exception was not caught and there was an old assumption in the test that staff is the only one who can see the hospitals and patients but that is not true anymore as discussed with Mark --- tmh_registry/registry/tests/api/viewsets/test_hospitals.py | 4 ++-- tmh_registry/registry/tests/api/viewsets/test_patients.py | 4 ++-- tmh_registry/users/api/permissions.py | 4 +++- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/tmh_registry/registry/tests/api/viewsets/test_hospitals.py b/tmh_registry/registry/tests/api/viewsets/test_hospitals.py index cfcbe04..a38f76e 100644 --- a/tmh_registry/registry/tests/api/viewsets/test_hospitals.py +++ b/tmh_registry/registry/tests/api/viewsets/test_hospitals.py @@ -53,7 +53,7 @@ def test_get_hospitals_list_from_non_admin_user(self): self.client.credentials(HTTP_AUTHORIZATION="Token " + self.token.key) response = self.client.get("/api/v1/hospitals/", format="json") - self.assertEqual(HTTP_403_FORBIDDEN, response.status_code) + self.assertEqual(HTTP_200_OK, response.status_code) def test_get_hospitals_list_from_non_medical_personnel_user(self): self.non_mp_user = UserFactory() @@ -95,7 +95,7 @@ def test_get_hospitals_detail_from_non_admin_user(self): f"/api/v1/hospitals/{self.hospital.id}/", format="json" ) - self.assertEqual(HTTP_403_FORBIDDEN, response.status_code) + self.assertEqual(HTTP_200_OK, response.status_code) def test_get_hospitals_detail_from_non_medical_personnel_user(self): self.non_mp_user = UserFactory() diff --git a/tmh_registry/registry/tests/api/viewsets/test_patients.py b/tmh_registry/registry/tests/api/viewsets/test_patients.py index e932ee9..0927e0e 100644 --- a/tmh_registry/registry/tests/api/viewsets/test_patients.py +++ b/tmh_registry/registry/tests/api/viewsets/test_patients.py @@ -190,7 +190,7 @@ def test_get_patients_list_from_non_admin_user(self): client.credentials(HTTP_AUTHORIZATION="Token " + non_admin_token.key) response = client.get("/api/v1/patients/", format="json") - self.assertEqual(HTTP_403_FORBIDDEN, response.status_code) + self.assertEqual(HTTP_200_OK, response.status_code) def test_get_patients_list_from_non_medical_personnel_user(self): non_mp_user = UserFactory() @@ -256,7 +256,7 @@ def test_get_patients_detail_from_non_admin_user(self): f"/api/v1/patients/{self.patient.id}/", format="json" ) - self.assertEqual(HTTP_403_FORBIDDEN, response.status_code) + self.assertEqual(HTTP_200_OK, response.status_code) def test_get_patients_detail_from_non_medical_personnel_user(self): non_mp_user = UserFactory() diff --git a/tmh_registry/users/api/permissions.py b/tmh_registry/users/api/permissions.py index 3568509..8ecac95 100644 --- a/tmh_registry/users/api/permissions.py +++ b/tmh_registry/users/api/permissions.py @@ -10,8 +10,10 @@ class IsMedicalPersonnel(permissions.BasePermission): def has_permission(self, request, view): try: - return request.user.medical_personnel.user.is_staff + request.user.medical_personnel except MedicalPersonnel.DoesNotExist: return False except builtins.Exception: return False + + return True