As a developer, we have to secure the exposed endpoints (APIs) according the desired permission rules.
...
To check these roles (in the backend), the recommendation is to configure (via module configuration) the used constant for the check:
Example (claim read access):
in openimis-be-claim_py/claim/app.py: DEFAULT_CFG = { [...] ... and check it via standard django permission in openimis-be-claim_py/claim/schema.py: def resolve_claims(self, info, **kwargs): [...] |
---|
We recommend (and this is what is in place in reference modules such as claims,...) to enforce the fine-grained security in django model itslef (overriding the 'get_query' method). This ensures that security applies whatever endpoint technology (GraphQL, FHIR, ...) is exposing it.
Example (claim limit by user's registered HF):
in openimis-be-claim_py/claim/models.py:
@classmethod |
---|
For finer (rule-based) grained security (object-level) the django-rules module has been configured and is readily available for use (declaring predicates,...). It is however not already used at the time of writing.