[BE] Create endpoints returning only the data the user is authorized to access

We are cancelling this issue because it turned out it’s no longer needed by the Nigeria team.

@Maciej Grochalski What do you mean “access to facility” - isn’t the View Stock Card permission assigned to user + program + facility? So Facility’s assignment doesn’t matter, it’s the user’s permission that matter.

But, I see why it might be difficult - the separate filter for Program and Facility might not be easy - selection of one affects the others: in perfect world selecting Evercare Medical Center would reduce program select to programs that user is assigned in Evercare Medical Center and selecting Malaria would limit the facility select. This would require passing parameters to the filter endpoints, and most likely changes in BE.
I guess the good solution would require to have Facility and Program related and refresh one when the other changes - that would be some effort.

As for an “OLMIS solution”, I’m thinking (might be difficult) you could make a report SQL to filter be user permissions (like in the PR) and then just add optional filtering using data from UI Filter. The UI would show all programs user have access in any facility. It would show all Facilities where user have access to at least one program. The user would need to just know, that they can select invalid combination and get an empty report - a label “There is no data or you have no access to it.” inside the report. In this case, selects would mostly be limited only for user’s convenience - which still is useful.

Because of what I explained in the previous comment, for now I added filtering inside the report after passing userId parameter as was requested in https://openlmis.atlassian.net/browse/OLMIS-8077.

pr: https://github.com/OpenLMIS/openlmis-report/pull/15

I see potential issue here. Let’s say we fetch the data once as it was designed:

Our user has access to facilities Evercare Medical Center and Blue Horizon Hospital.

Evercare Medical Center access to Essential Meds program

Blue Horizon Hospital access to Malaria program (assuming facility supports also Essential Meds, but user has no access to it in the rights_assignments)

If we created endpoint which would fetch data we have access to both programs would be accessible for both facilities (because select fields are not dependent from each other)

Below is how it looks on the database:

Any thoughts @Oliver Lewandowski @Piotr Wargulak? If it needs more explanation we can schedule a quick meeting and talk through it. Maybe there is something that I’m missing.

Can you check and refine if needed? @Piotr Wargulak @Maciej Grochalski