| | 1 | [[TOC]] |
| | 2 | = Organisation Developer Guidelines = |
| | 3 | |
| | 4 | == Site Super Entity == |
| | 5 | The following are instances of the site super entity: |
| | 6 | * org_office |
| | 7 | * cr_shelter |
| | 8 | * hms_hospital |
| | 9 | The Site Super Entity allows the following components to be shared between these resources through the use of a single foreign key ({{{site_id}}}): |
| | 10 | * org_staff |
| | 11 | * inv_inv_item |
| | 12 | * inv_recv |
| | 13 | * inv_send |
| | 14 | * req_req |
| | 15 | * req_commit |
| | 16 | |
| | 17 | == Staff Permissions == |
| | 18 | Staff ({{{org_staff}}}) can be added as components of site instances (offices, hospitals and shelters) and organisations. There are a number of Use Cases where you may want to apply permissions based on the staff of a resource: |
| | 19 | * Only staff of an organisation have permissions (READ, CREATE, UPDATE and/or DELETE) for their organisation resource. |
| | 20 | * Only staff stationed at a certain site have permissions (READ, CREATE, UPDATE and/or DELETE) for their site resource. |
| | 21 | |
| | 22 | For further flexibility, there are 2 boolean fields for staff: |
| | 23 | * {{{no_access}}} - If this is true, this staff member has no additional privileges (labelled as 'Read-only') |
| | 24 | * {{{supervisor}}} - This gives the options for more permissive permissions for some staff. |
| | 25 | |
| | 26 | If a user creates a resource (Site or Organisation) then they are automatically given the Supervisor role for that resource. |
| | 27 | |
| | 28 | The roles are created by the {{{shn_create_record_roles}}} function in {{{models/05_org.py}}}, which can be called from an org or site create_onaccept by configuring the model as following: |
| | 29 | {{{ |
| | 30 | # Create roles for each organisation / site instance |
| | 31 | s3xrc.model.configure(table, |
| | 32 | create_onaccept = shn_staff_join_onaccept_func(tablename)) |
| | 33 | }}} |
| | 34 | (This code should be called after the resource table is defined in the model) |
| | 35 | |
| | 36 | === Enabling Staff Permissions === |
| | 37 | 1. Set: |
| | 38 | {{{ |
| | 39 | deployment_settings.security.policy = 3 # Controller-ACLs. 4 & 5 will also work |
| | 40 | deployment_settings.aaa.has_staff_permissions = True |
| | 41 | deployment_settings.aaa.staff_acl = Permissions for staff role: Create, Read, Update & or Delete |
| | 42 | deployment_settings.aaa.supervisor_acl = Permissions for supervisor role: Create, Read, Update & or Delete |
| | 43 | ("org", Storage( |
| | 44 | .... |
| | 45 | restricted = True, |
| | 46 | }}} |
| | 47 | 2. When a new organisation or site instance is created: |
| | 48 | i. New roles (staff & supervisor) are automatically created for that record (tablename_recordid Staff of recordname & tablename_recordid Supervisors of recordname). |
| | 49 | i. The current user is added as a member of both of those roles. |
| | 50 | |
| | 51 | 3. Add staff to organisations and sites to grant them the appropriate permissions |
| | 52 | |
| | 53 | === Inheriting Permissions === |
| | 54 | To allow other components inherit the same permissions as the primary resource, the following function can be called, to add a onaccept function which will copy the "owned_by_role" from the primary resource. This onaccept should be added to the onaccept for the component resource. |
| | 55 | {{{ |
| | 56 | # Update owned_by_role to the site's owned_by_role |
| | 57 | s3xrc.model.configure( |
| | 58 | table, |
| | 59 | onaccept = shn_component_copy_role_func(component_name = tablename, |
| | 60 | resource_name = "org_site", |
| | 61 | fk = "site_id", |
| | 62 | pk = "site_id") |
| | 63 | ) |
| | 64 | }}} |
| | 65 | |
| | 66 | The staff component resource itself currently inherit permissions from sites not organisations, because this is LESS permissive. This may need to become a deployment setting. |
| | 67 | |
| | 68 | == Inventory Management == |
| | 69 | Inventories can be added to any site instance, by adding {{{shn_show_inv_tabs(r)}}} to the rheader tabs for that site instance. |
| | 70 | |
