Restrict Unauthorized Users from Accessing Facility's Patient Registration

src/Components/Common/FacilitySelect.tsx

@@ -13,6 +13,7 @@ interface FacilitySelectProps {
  multiple?: boolean;
  facilityType?: number;
  district?: string;
+ state?: string;
  showAll?: boolean;
  showNOptions?: number;
  freeText?: boolean;
@@ -33,6 +34,7 @@ export const FacilitySelect = (props: FacilitySelectProps) => {
  className = "",
  facilityType,
  district,
+ state,
  freeText = false,
  errors = "",
  } = props;
@@ -47,6 +49,7 @@ export const FacilitySelect = (props: FacilitySelectProps) => {
  facility_type: facilityType,
  exclude_user: exclude_user,
  district,
+ state,
  };
 
  const { data } = await request(

src/Components/ExternalResult/FacilitiesSelectDialogue.tsx

@@ -3,6 +3,7 @@ import DialogModal from "../Common/Dialog";
 import { FacilitySelect } from "../Common/FacilitySelect";
 import { FacilityModel } from "../Facility/models";
 import { useTranslation } from "react-i18next";
+import useAuthUser from "../../Common/hooks/useAuthUser";
 
 interface Props {
  show: boolean;
@@ -15,6 +16,7 @@ interface Props {
 const FacilitiesSelectDialog = (props: Props) => {
  const { show, handleOk, handleCancel, selectedFacility, setSelected } = props;
  const { t } = useTranslation();
+ const authUser = useAuthUser();
 
  return (
  <DialogModal
@@ -29,6 +31,16 @@ const FacilitiesSelectDialog = (props: Props) => {
  errors=""
  showAll={false}
  multiple={false}
+ district={
+ authUser?.user_type === "DistrictAdmin"
+ ? authUser?.district?.toString()
+ : undefined
+ }
+ state={
+ authUser?.user_type === "StateAdmin"
+ ? authUser?.state?.toString()
+ : undefined
+ }
  />
  <div className="mt-4 flex flex-col gap-2 sm:flex-row sm:justify-end">
  <Cancel onClick={handleCancel} />

src/Components/Patient/ManagePatients.tsx

@@ -736,11 +736,29 @@ export const PatientManager = () => {
  <ButtonV2
  id="add-patient-details"
  onClick={() => {
- if (qParams.facility)
+ const showAllFacilityUsers = ["DistrictAdmin", "StateAdmin"];
+ if (
+ qParams.facility &&
+ showAllFacilityUsers.includes(authUser.user_type)
+ )
  navigate(`/facility/${qParams.facility}/patient`);
  else if (onlyAccessibleFacility)
  navigate(`/facility/${onlyAccessibleFacility.id}/patient`);
- else setShowDialog("create");
+ else if (
+ !showAllFacilityUsers.includes(authUser.user_type) &&
+ authUser.home_facility_object?.id !== qParams.facility
+ )
+ Notification.Error({
+ msg: "Oops! Non-Home facility users don't have permission to perform this action.",
+ });
+ else if (
+ !showAllFacilityUsers.includes(authUser.user_type) &&
+ authUser.home_facility_object?.id
+ ) {
+ navigate(
+ `/facility/${authUser.home_facility_object.id}/patient`,
+ );
+ } else setShowDialog("create");
  }}
  className="w-full lg:w-fit"
  >

src/Components/Patient/PatientHome.tsx

@@ -642,11 +642,25 @@ export const PatientHome = (props: any) => {
  className="mt-4 w-full"
  disabled={!patientData.is_active}
  authorizeFor={NonReadOnlyUsers}
- onClick={() =>
- navigate(
- `/facility/${patientData?.facility}/patient/${id}/update`,
- )
- }
+ onClick={() => {
+ const showAllFacilityUsers = [
+ "DistrictAdmin",
+ "StateAdmin",
+ ];
+ if (
+ !showAllFacilityUsers.includes(authUser.user_type) &&
+ authUser.home_facility_object?.id !==
+ patientData.facility
+ ) {
+ Notification.Error({
+ msg: "Oops! Non-Home facility users don't have permission to perform this action.",
+ });
+ } else {
+ navigate(
+ `/facility/${patientData?.facility}/patient/${id}/update`,
+ );
+ }
+ }}
  >
  <CareIcon icon="l-edit-alt" className="text-lg" />
  Update Details
@@ -808,6 +822,7 @@ export const PatientHome = (props: any) => {
  </div>
  </dl>
  </div>
+
  <div className="mt-2 flex">
  <ButtonV2
  className="mr-2 w-full bg-white hover:bg-gray-100"

src/Components/Patient/PatientRegister.tsx

@@ -62,6 +62,7 @@ import useAuthUser from "../../Common/hooks/useAuthUser.js";
 import useQuery from "../../Utils/request/useQuery.js";
 import routes from "../../Redux/api.js";
 import request from "../../Utils/request/request.js";
+import Error404 from "../ErrorPages/404";
 import SelectMenuV2 from "../Form/SelectMenuV2.js";
 
 const Loading = lazy(() => import("../Common/Loading"));
@@ -1061,6 +1062,34 @@ export const PatientRegister = (props: PatientRegisterProps) => {
  return <Loading />;
  }
 
+ const PatientRegisterAuth = () => {
+ const showAllFacilityUsers = ["DistrictAdmin", "StateAdmin"];
+ if (
+ !showAllFacilityUsers.includes(authUser.user_type) &&
+ authUser.home_facility_object?.id === facilityId
+ ) {
+ return true;
+ }
+ if (
+ authUser.user_type === "DistrictAdmin" &&
+ authUser.district === facilityObject?.district
+ ) {
+ return true;
+ }
+ if (
+ authUser.user_type === "StateAdmin" &&
+ authUser.state === facilityObject?.state
+ ) {
+ return true;
+ }
+
+ return false;
+ };
+
+ if (!isLoading && facilityId && facilityObject && !PatientRegisterAuth()) {
+ return <Error404 />;
+ }
+
  return (
  <div className="px-2 pb-2">
  {statusDialog.show && (