...
The FHIR API permissions check is based on the python DjangoModelPermissions
.
More information can be found here:
https://www.django-rest-framework.org/api-guide/permissions/#permissions)(https://www.django-rest-framework.org/api-guide/permissions/#permissions
Implementation details:
The API_FHIR module has created FHIRApiPermissions
class which extend the DjangoModelPermissions
(from rest_framework.permissions
).
Code Block | ||
---|---|---|
| ||
from rest_framework.permissions import DjangoModelPermissions class FHIRApiPermissions(DjangoModelPermissions): permissions_get = ['%(app_label)s.view_%(model_name)s'] permissions_post = ['%(app_label)s.add_%(model_name)s'] permissions_put = ['%(app_label)s.change_%(model_name)s'] permissions_patch = ['%(app_label)s.change_%(model_name)s'] permissions_delete = ['%(app_label)s.delete_%(model_name)s'] def __init__(self): self.perms_map['GET'] = self.permissions_get self.perms_map['POST'] = self.permissions_post self.perms_map['PUT'] = self.permissions_put self.perms_map['PATCH'] = self.permissions_patch self.perms_map['DELETE'] = self.permissions_delete |
The following attributes can be used to specify the list of required permissions (split by HTTP operation):
- permissions_get
- permissions_post
- permissions_put
- permissions_patch
- permissions_delete
For instance, to execute GET on the Patient endpoint (OpenIMIS Insuree model) user needs to have the following permission:
insuree.view_insurees
The mentioned FHIRApiPermissions class is injected to FHIR API views using the
permission_classes
attribute.