@vankineenitawrun There is some example ACs. So you can plan the work which can fulfill this ACs,
We should able to add accessible locations for roles as well.
If a userRole has accessible locations, and a user with that user role doesnât have accessible locations -> then assign that userRole based accessible locations for that user.
If a userRole has accessible locations, then if a user with that userRole also has accessible locations, we should give priority to user-based accessible location properties.
If a userRole doesnât have accessible locations, and a user with that userRole has accessible locations, then we should take user based accessible location properties.
If the user role and user both havenât accessible location properties, the accessible location property will be empty if that system enabled LBAC.
Role Class has only Role name , Privileges, inheritedRoles, childRoles and extends BaseOpenmrsMetadata
Also Privilege has String name, String description and extends BaseOpenmrsMetadata .
BaseOpenmrsMetadata which has metadata fields like created, updates etc.
Before installation of LBAC module for every Location in the Database we add corresponding Privilega into the DataBase using UserService.savePrivilege(Privilage p) .
Later user can have Roles can with this privileges.
Then we change the getUserAccessibleLocationUuids(User authenticatedUser) of Locationutils, where the UserLocationUuids along with his role accessible locationsUuids list is returned.
Since it needs a lot of work to assign locations for each and every user. Rather than that, they can simply assign location access to the user roles. So it can work for them also.
As for easy of implementers, we are providing this features. If they want role based access control - use it, or user based access control - also can use it
Further, if a doctor user role has access to LocA, LocB, LocC. And a userD who is belongs to that doctor role was assigned only to LocA. Finally the userD can only access to locA.
User can login in only to Locations with LocationTag as AppFrameworkConstants.LOCATION_TAG_SUPPORTS_LOGIN which are used in LoginPageController in this Linemodel.addAttribute("locations",appFrameworkService.getLoginLocations()).The Locations which are in User Property has AllActiveLocations. Making first Location in User property as session default location does not allow to login the user.
But here its not there as it is not a login Location so a user with Amani Hospital as a user Property and it being first in the List doesnât Allow us to Login.
So we need to change List<Location> activeLocations = Context.getLocationService().getAllLocations() at this Line to get only locations with TAG AppFrameworkConstants.LOCATION_TAG_SUPPORTS_LOGIN.
Also, the Header Fragment of the Openmrs gets Locations with the same TAG, at this Line .
The appFrameworkService.getLoginLocations() always gets the Locations with TAG AppFrameworkConstants.LOCATION_TAG_SUPPORTS_LOGIN at this Line
To get the User Accessible locations from the Roles we need to check every privilege whether does it belongs to any location access and appends the corresponding location to List. Assign the Locations List as User property to user.
Blocker: LBAC-33
Enable encounter access based on patient location or multiple admitted/channelled locations.
In the current system, we use Encounter Location for access checking we need to change it to Location of the corresponding patient.
Need to work out both the Issues as per the timeline
@suthagar23 in current system Encouters are only restricted by the Location based on user and the Encouter Location should we change that to based on the location of the person in the Encouter.?
yes, that is the primary plan for this task. Since there can be multiple encounters for a patient during a period. Then finally a doctor can only view the encounters by one location.
By this change, a doctor need to view all the past encounters of that patient.
Isnât that same since patient also has only one Location. so, for a doctor he can access only if encounterâs patient location matches with doctors locations.
we can change the current implementation to not remove any encounters when being called for methods getEncountersByPatient and getEncountersByPatientId. As these are used for doctors to get encounters of a patient and so they get all previous encounters of the patient.
But As Doctor can only see the patients who are of his Locations then making Encounters access based on patient Location is of no use. As Doctors locations are a superset of patient Location.