[BUG] fix Location/ Bed Management issue ( District Lab Admin Account) (

#1959)

* fixing permission issue

* added tests

care/facility/models/mixins/permissions/facility.py

@@ -67,8 +67,19 @@ def has_cover_image_delete_permission(request):
         )
 
     def has_object_read_permission(self, request):
-        return super().has_object_read_permission(request) or self.users.contains(
-            request.user
+        return (
+            super().has_object_read_permission(request)
+            or self.users.contains(request.user)
+            or (
+                hasattr(self, "state")
+                and request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]
+                and request.user.state == self.state
+            )
+            or (
+                hasattr(self, "district")
+                and request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]
+                and request.user.district == self.district
+            )
         )
 
     def has_object_write_permission(self, request):
@@ -124,6 +135,16 @@ def has_object_read_permission(self, request):
         return (
             super().has_object_read_permission(request)
             or request.user.is_superuser
+            or (
+                hasattr(self.facility, "state")
+                and request.user.user_type >= User.TYPE_VALUE_MAP["StateLabAdmin"]
+                and request.user.state == self.facility.state
+            )
+            or (
+                hasattr(self.facility, "district")
+                and request.user.user_type >= User.TYPE_VALUE_MAP["DistrictLabAdmin"]
+                and request.user.district == self.facility.district
+            )
             or request.user in self.facility.users.all()
         )
 

care/facility/tests/test_asset_location_api.py

@@ -112,3 +112,28 @@ def test_delete_asset_location_with_no_assets_and_beds(self):
             f"/api/v1/facility/{self.facility.external_id}/asset_location/{self.asset_location.external_id}/",
         )
         self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+
+    def test_user_access_to_asset_location_on_user_type(self):
+        # when a user is a state_lab_admin or a district_lab_admin
+        state_lab_admin = self.create_user(
+            "state_lab_admin", self.district, user_type=35
+        )
+        district_lab_admin = self.create_user(
+            "district_lab_admin", self.district, user_type=25
+        )
+
+        self.client.force_authenticate(user=state_lab_admin)
+
+        # when they try to access a asset_location in their state or district then they
+        # should be able to do so without permission issue
+        response = self.client.get(
+            f"/api/v1/facility/{self.facility.external_id}/asset_location/{self.asset_location_with_linked_bed.external_id}/"
+        )
+
+        self.assertIs(response.status_code, status.HTTP_200_OK)
+
+        self.client.force_authenticate(user=district_lab_admin)
+        response = self.client.get(
+            f"/api/v1/facility/{self.facility.external_id}/asset_location/{self.asset_location_with_linked_bed.external_id}/"
+        )
+        self.assertIs(response.status_code, status.HTTP_200_OK)

care/facility/tests/test_facilityuser_api.py

@@ -45,3 +45,23 @@ def test_link_existing_facility(self):
 
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(len(response.data["results"]), 2)
+
+    def test_user_access_to_facility_on_user_type(self):
+        # when a user is a state_lab_admin or a district_lab_admin
+        state_lab_admin = self.create_user(
+            "state_lab_admin", self.district, user_type=35
+        )
+        district_lab_admin = self.create_user(
+            "district_lab_admin", self.district, user_type=25
+        )
+
+        self.client.force_authenticate(user=state_lab_admin)
+
+        # when they try to access a facility in their state or district then they
+        # should be able to do so without permission issue
+        response = self.client.get(f"/api/v1/facility/{self.facility.external_id}/")
+        self.assertIs(response.status_code, status.HTTP_200_OK)
+
+        self.client.force_authenticate(user=district_lab_admin)
+        response = self.client.get(f"/api/v1/facility/{self.facility.external_id}/")
+        self.assertIs(response.status_code, status.HTTP_200_OK)