To ensure that only authorized employees can access specific management commands, I implemented a robust permission system in the EpicEventsCommand class. This system is based on the Role of the employee, and it grants or denies access to certain commands based on the user's role. The permission system prevents unauthorized access and ensures that sensitive actions are restricted to employees with the appropriate roles.

How It Works

1. Role-Based Permissions: A class attribute called permissions is added to each command. This attribute contains a list of roles that are authorized to execute the command.
2. Permission Check: The system checks the employee's role, which is stored in the employee_users attribute. If the user's role is not in the permissions list, access to the command is denied.
3. Access Denial: If the employee does not have the required role, a "permission denied" message is displayed, and the user is redirected back to the main menu.

Example: Contract Creation Command

For example, the contract_create command is restricted to employees with the role "MA" (Management). Here's how the permissions are handled:

help = "Prompts for details to create a new contract."
action = "CREATE"
permissions = ["MA"]

In the EpicEventsCommand, the permission check is implemented as follows:

def handle(self, *args, **options):
    super().handle(*args, **options)

    if self.user.employee_users.role not in self.permissions:
        create_permission_denied_message()
        call_command("start")
        sys.exit()

Contract Menu View

The same permission system is applied to the contract menu view. Depending on the employee's role, certain menu options are made available:

def handle(self, *args, **options):
    super().handle(*args, **options)

    choice = get_app_menu("contract", self.user)

    if self.user.employee_users.role == "SA":
        if choice == 1:
            call_command("contract_list_filter")
        elif choice == 2:
            call_command("start")

    if self.user.employee_users.role == "SU":
        if choice == 1:
            call_command("contract_list_filter")
        elif choice == 2:
            call_command("start")

    if self.user.employee_users.role == "MA":
        if choice == 1:
            call_command("contract_list_filter")
        elif choice == 2:
            call_command("contract_create")
        elif choice == 3:
            call_command("contract_update")
        elif choice == 4:
            call_command("contract_delete")
        elif choice == 5:
            call_command("start")

Secure Access

Both direct command execution via the terminal (python manage.py create_contract) and execution through the navigation menu are secured by the permission system. This ensures that no unauthorized user can execute any command, whether directly or through the interface.

This permission system ensures that employees are only presented with the commands and actions relevant to their roles, minimizing errors and improving the security of the application.