from django.core.management.base import BaseCommand from django.contrib.auth.models import Group, Permission from django.contrib.contenttypes.models import ContentType from hr.models import Department, Employee from accounts.models import CustomUser class Command(BaseCommand): help = 'Assign permissions to employees based on their departments' def add_arguments(self, parser): parser.add_argument( '--department', type=str, help='Specific department to update (optional)', ) parser.add_argument( '--employee-id', type=str, help='Specific employee ID to update (optional)', ) parser.add_argument( '--dry-run', action='store_true', help='Show what would be changed without making changes', ) def handle(self, *args, **options): dry_run = options.get('dry_run', False) specific_department = options.get('department') specific_employee = options.get('employee_id') if dry_run: self.stdout.write(self.style.WARNING('DRY RUN MODE - No changes will be made')) # Get employees to process if specific_employee: try: employees = [Employee.objects.get(employee_id=specific_employee)] except Employee.DoesNotExist: self.stdout.write(self.style.ERROR(f'Employee {specific_employee} not found')) return elif specific_department: try: dept = Department.objects.get(name=specific_department) employees = Employee.objects.filter(department=dept, user__isnull=False) except Department.DoesNotExist: self.stdout.write(self.style.ERROR(f'Department {specific_department} not found')) return else: employees = Employee.objects.filter(user__isnull=False, employment_status='active') self.stdout.write(f'Processing {employees.count()} employees...') for employee in employees: if not employee.user: continue self._assign_department_permissions(employee, dry_run) if not dry_run: self.stdout.write(self.style.SUCCESS('Department permissions updated successfully!')) def _assign_department_permissions(self, employee, dry_run=False): """Assign permissions based on employee's department""" user = employee.user department_name = employee.department.name if employee.department else None if not department_name: self.stdout.write(f'Skipping {employee.full_name} - No department assigned') return # Remove user from all department groups first if not dry_run: dept_groups = Group.objects.filter(name__in=[ 'Management', 'Technician', 'Marketing', 'HR Staff', 'Billing Staff', 'Customer Service' ]) user.groups.remove(*dept_groups) # Get or create department group group, created = Group.objects.get_or_create(name=department_name) if created and not dry_run: self.stdout.write(f'Created new group: {department_name}') # Add user to department group if not dry_run: user.groups.add(group) # Define permissions by department department_permissions = self._get_department_permissions(department_name) # Assign permissions to the group for permission_codename in department_permissions: try: permission = Permission.objects.get(codename=permission_codename) if not dry_run: group.permissions.add(permission) else: self.stdout.write(f' Would add permission: {permission_codename}') except Permission.DoesNotExist: self.stdout.write(f' Permission not found: {permission_codename}') # Update user role based on department if department_name == 'Management': if not dry_run: user.is_superuser = True user.is_staff = True user.role = 'admin' user.save() self.stdout.write(f' Updated {employee.full_name} - Granted superuser privileges') else: if not dry_run: user.is_staff = True user.role = 'technician' user.save() self.stdout.write(f' Updated {employee.full_name} - Department: {department_name}') def _get_department_permissions(self, department_name): """Get permissions list based on department""" permissions = { 'Management': [ # Full access to all modules 'view_customer', 'add_customer', 'change_customer', 'delete_customer', 'view_invoice', 'add_invoice', 'change_invoice', 'delete_invoice', 'view_payment', 'add_payment', 'change_payment', 'delete_payment', 'view_ticket', 'add_ticket', 'change_ticket', 'delete_ticket', 'view_employee', 'add_employee', 'change_employee', 'delete_employee', 'view_department', 'add_department', 'change_department', 'delete_department', 'view_payslip', 'add_payslip', 'change_payslip', 'delete_payslip', 'view_expense', 'add_expense', 'change_expense', 'delete_expense', 'view_systemsettings', 'change_systemsettings', ], 'Technician': [ 'view_customer', 'change_customer', 'view_ticket', 'add_ticket', 'change_ticket', 'view_invoice', 'view_employee', ], 'Marketing': [ 'view_customer', 'add_customer', 'change_customer', 'view_ticket', 'add_ticket', 'change_ticket', 'view_invoice', 'add_marketingweeklyreport', 'change_marketingweeklyreport', 'view_marketingweeklyreport', ], 'Billing Staff': [ 'view_customer', 'change_customer', 'view_invoice', 'add_invoice', 'change_invoice', 'view_payment', 'add_payment', 'change_payment', 'view_ticket', 'view_expense', ], 'Customer Service': [ 'view_customer', 'change_customer', 'view_ticket', 'add_ticket', 'change_ticket', 'view_invoice', ], 'HR Staff': [ 'view_employee', 'add_employee', 'change_employee', 'view_department', 'add_department', 'change_department', 'view_payslip', 'add_payslip', 'change_payslip', 'view_customer', ] } return permissions.get(department_name, [])