Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Location/ Bed Management issue ( District Lab Admin Account) #7102

Closed
Sunilsubba opened this issue Jan 24, 2024 · 25 comments
Closed

Location/ Bed Management issue ( District Lab Admin Account) #7102

Sunilsubba opened this issue Jan 24, 2024 · 25 comments
Assignees
@AnkurPrabhu
Labels
Backend bug Something isn't working Frontend

Comments

@Sunilsubba
Copy link

----Describe the bug----
Error Message coming up "You don't have permission to perform this action" but still allowed to create and manage beds using district lab admin account

----Steps to reproduce----
1- Log in using provided credential
2- Click on https://care.coronasafe.in/facility/42d0dbbd-e3e1-4d64-88ff-f606b90975b0/location

3- Click on "manage beds" from any existing location
4- add new bed

----Login Credentials----
Username: district_lab123
Password: Lilo@123

----Screenshots----
IMG_20240125_003827.jpg

IMG_20240125_003749.jpg
@github-project-automation github-project-automation bot moved this to Triage in Care Jan 24, 2024
@SamakshAgarwal1112
Copy link

Working on it!

@rithviknishad rithviknishad moved this from Triage to Up Next in Care Jan 25, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 9, 2024

Hi, @gigincg, @nihal467, @khavinshankar, @mathew-alex, @aparnacoronasafe, This issue has been automatically marked as stale because it has not had any recent activity.

@github-actions github-actions bot added the stale label Feb 9, 2024
@rithviknishad
Copy link
Member

Hey @SamakshAgarwal1112 any updates on this?

@rithviknishad rithviknishad added the bug Something isn't working label Feb 12, 2024
@github-actions github-actions bot removed the stale label Feb 13, 2024
@shramanpaul
Copy link
Contributor

Hello @rithviknishad, could you please assign me this issue? I'm eager to work on it.

@rithviknishad
Copy link
Member

Hey @shramanpaul

Feel free to make a PR on this once the changes requested for #7200 is completed

@balaji-sivasakthi
Copy link

@rithviknishad Could you explain to me why this issue is throwing a 403 error?

GET /api/v1/facility/42d0dbbd-e3e1-4d64-88ff-f606b90975b0/asset_location/6ee4cae3-f9e3-40d4-9b47-337ac8052f76/
HTTP 403 Forbidden
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "detail": "Authentication credentials were not provided."
}

@rithviknishad
Copy link
Member

Have you set the Authorization headers when making the request?

@balaji-sivasakthi
Copy link

Have you set the Authorization headers when making the request?

I'm not sure, this is the stuff I cached from the browser.

@AnkurPrabhu
Copy link
Contributor

AnkurPrabhu commented Mar 2, 2024
edited
Loading

@rithviknishad @balaji-sivasakthi i tried using the same front-end on my local backend it does not show this error. do we have some sort of waf or any firewall this passes through that could be the issue here pls correct me if i am wrong, also this does not exist in https://care.ohc.network/

@varshith257
Copy link

@rithviknishad I would like to work on this. Can you assign me this issue?

@hrit2773
Copy link
Contributor

hrit2773 commented Mar 3, 2024

@balaji-sivasakthi that 403 error is because there is no authentication details. I tried to find the method associated with the url in the care backend repo but I'm unable to find it

@balaji-sivasakthi
Copy link

Has anyone checked with a different account? I believe the account listed below may be broken in terms of roles.

Username: district_lab123
Password: Lilo@123

@r-nikhilkumar
Copy link
Contributor

please assign this issues to me, I want to contribute here

@Shahbaz898414
Copy link

@rithviknishad I would like to work on this. Can you assign me this issue?

@AnkurPrabhu
Copy link
Contributor

AnkurPrabhu commented Mar 6, 2024
edited
Loading

Has anyone checked with a different account? I believe the account listed below may be broken in terms of roles.

Username: district_lab123
Password: Lilo@123

i tried on my local using devdistrict admin, staff and doc everything works fine, i feel like this is some sort of configuration or firewall setting for some apis
or this could be some specific permission is not giving to the user account from django admin can anyone check the user type ?

@rithviknishad
Copy link
Member

Have you tried creating a district lab admin user type user and tried replicating the issue with that user?

@AnkurPrabhu
Copy link
Contributor

Yes I did
What I did for this is
Went to django users table edited type to district level admin and then tried it was working fine for me
Let me know my steps to replicate are correct or have I missed something

@rithviknishad
Copy link
Member

rithviknishad commented Mar 7, 2024
edited
Loading

"District Lab Admin" is the user type. Not "District Admin"

Also, I'm able to replicate this issue.

To replicate this, you'll need to go directly to the URL instead of navigating to the location page through Care.

image

There seems to be multiple permission issues:

  1. A district lab admin user seems to be able to see "facilities" that this user does not have access to. (Although when I click on a facility it gives 404 Not Found)
  2. If I directly go to the location management page of such inaccessible facilities, I'm able to list the locations of such facilities. This shouldn't be permitted.
  3. Now this user can read and write beds of those locations of inaccessible facilities too, which also shouldn't be permitted.

cc: @sainak

@sainak
Copy link
Member

sainak commented Mar 7, 2024

"District Lab Admin" is the user type. Not "District Admin"

Also, I'm able to replicate this issue.

To replicate this, you'll need to go directly to the URL instead of navigating to the location page through Care.

image

There seems to be multiple permission issues:

  1. A district lab admin user seems to be able to see "facilities" that this user does not have access to. (Although when I click on a facility it gives 404 Not Found)
  2. If I directly go to the location management page of such inaccessible facilities, I'm able to list the locations of such facilities. This shouldn't be permitted.
  3. Now this user can read and write beds of those locations of inaccessible facilities too, which also shouldn't be permitted.

cc: @sainak

Yes @rithviknishad this is a permission issue, it needs to be restricted on the backend

@AnkurPrabhu
Copy link
Contributor

AnkurPrabhu commented Mar 8, 2024
edited
Loading

can you assign this to me ? @rithviknishad @sainak

@AnkurPrabhu
Copy link
Contributor

AnkurPrabhu commented Mar 10, 2024
edited
Loading

  1. A district lab admin user seems to be able to see "facilities" that this user does not have access to. (Although when I click on a facility it gives 404 Not Found)

@rithviknishad can you pls explain what do you mean by this as on what basis do we need to validate if user has access to these facilities ?

@rithviknishad
Copy link
Member

Refer Facility Permissions here: https://github.com/coronasafe/care/blob/master/care/facility/api/viewsets/facility.py#L50-L61

@Thanush19
Copy link

if the issue is not resolved , i can work on this @rithviknishad

@AnkurPrabhu
Copy link
Contributor

i am working on it @Thanush19

@AnkurPrabhu AnkurPrabhu mentioned this issue Mar 11, 2024
Merged
4 tasks
@AnkurPrabhu
Copy link
Contributor

lets close this issue @rithviknishad

@github-project-automation github-project-automation bot moved this from Up Next to Done in Care Mar 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AnkurPrabhu AnkurPrabhu

Labels
Backend bug Something isn't working Frontend
Projects
Care
Archived in project
Milestone
No milestone
Development

No branches or pull requests