Session log — Planning doctor verification and gated recordings

InternalView platform →
← All session logs

Session log — Planning doctor verification and gated recordings

9 June 2026, evening · Medilearn · Hasmukh with Claude · auto-published from the local journal entry. A polished narrative version can be requested in any future Claude session.

Summary

Hasmukh asked how to plan and execute a way to put the Past Events recordings behind doctor verification on the live medilearn.africa. The idea he set out: a doctor registers once and gives their MP number, an operator authenticates them by hand by checking that MP number against the HPCSA register, and once approved their login unlocks the recordings. Confirmed the site can support this on its own, with no outside service needed, and that manual approval is the right call because there is no automatic way to confirm a doctor's registration. Took a read-only look at the live site to see what is already there. There is no doctor login or members area yet and only the admin account exists, so it is a clean start. Agreed to set this up as a small, purpose-made doctor login shaped around MP-number approval. No changes were made to the site this session. This was planning plus a read-only check only.

Decisions

  • Verification method: MP number only. The doctor gives their name and MP number, the operator looks it up on the HPCSA register and approves by hand. Quickest for the doctor and the least personal information to hold, which is the cleaner POPIA position.
  • Scope: build a reusable "doctors only" lock for a wider doctors-only area, not only the recordings. It will be pointed at the Past Events recordings first, with the ability to lock other pages later without rebuilding.
  • Approach: a purpose-made doctor login rather than bending a generic tool, because nothing suitable is installed to reuse and the workflow is specific.
  • Security stance: recordings will not be delivered at all to anyone who is not an approved doctor, not merely hidden on the page. MP numbers and personal details stay visible to the approver only.

Changes made

  • None to the live site. This was planning and a read-only inventory.
  • Confirmed the platform natively supports member accounts, a custom "verified doctor" level, per-doctor fields, and a content lock tied to the login.
  • Read-only check of the live medilearn.africa found no membership or login feature installed, only the admin account present, and the recordings delivered in a way that is straightforward to lock.

Follow-ups

  • Awaiting Hasmukh's go-ahead to start step 1 (accounts and login, plus a signed-in doctors' home page).
  • Build order agreed: (1) accounts, login and a doctors' home, (2) the sign-up form capturing the MP number, the private approval list, and the automatic approval email, (3) the reusable doctors-only lock applied first to the recordings, (4) polish: consent and privacy wording, forgot-password, stay-signed-in, and a quiet record of who approved whom.
  • Outgoing email needs confirming and switching on before step 2, so the approval email and the forgot-password email send reliably. The pieces are on the site already.
  • POPIA: add a short consent and privacy note at sign-up, collect only what is needed, and keep MP numbers visible to the approver only.

Update — step 1 built and live (hidden)

Hasmukh gave the go-ahead, so step 1 was built and is live on medilearn.africa, kept out of the public menu for review.

  • Added a new "doctors area" to the site with proper sign-in and sign-out, plus a signed-in welcome page that will later hold the recordings and other doctor-only resources.
  • The area sits at a private web address that is not linked anywhere in the menu, so only someone with the direct link can reach it. The public sees only a sign-in box, nothing sensitive.
  • Built on the site's own secure sign-in, which already includes protection against repeated password guessing and does not reveal whether an email is registered.
  • Created one temporary test sign-in so Hasmukh can try it. It will be removed before go-live, once real doctor sign-up exists.
  • Checked the whole site afterwards: the home page and every other page still load normally, and no new problems appeared.

Follow-ups after step 1

  • Awaiting Hasmukh to try the test sign-in and confirm it feels right before step 2.
  • Step 2 next: the doctor sign-up form (capturing the MP number), the private approval list, and the automatic approval email. This needs the site's outgoing email switched on first.
  • Remove the temporary test sign-in before go-live.

Update — recordings now locked (Hasmukh asked to see the gate)

On testing, Hasmukh pointed out the recordings still played for everyone. That was expected, because only the sign-in and doctors' area had been built, not the lock itself. He asked to bring the lock forward, so it was done and is now live.

  • First, a sample recording was placed inside the signed-in doctors' area, so the lock could be seen safely: signed out it is not even on the page, signed in it plays.
  • Then, at Hasmukh's choice, the real Past Events page was locked. The page still publicly lists every event (names, photos, topics), but the actual recordings now play only for a signed-in doctor (and for the admin). Everyone else sees a clear "Sign in to watch" prompt that links to the doctors' area.
  • The lock is done properly: for anyone who is not a signed-in doctor, the video is not delivered to the page at all, so there is nothing to get around.
  • The whole site was re-checked: every page loads normally and no new problems appeared. Backups were taken before and after the change.

Follow-ups after locking

  • Because the recordings are now doctor-only and there is not yet a way for doctors to sign themselves up, step 2 (the doctor sign-up form, the private approval list, and the approval email) is now the priority so real doctors can get in. This needs outgoing email switched on.
  • In the meantime, individual doctor accounts can be created by hand if anyone needs access urgently.
  • Remove the temporary test sign-in before go-live.

Update — step 2 built: doctor sign-up and your approval list

Doctors can now register themselves, and you approve them.

  • On the doctors' page, signed-out visitors now see a "Create a doctor account" option next to sign-in. They enter their name, email, HPCSA (MP) number and a password, and tick a short consent. They become "pending".
  • A pending doctor can sign in but sees an "awaiting approval" message and cannot watch recordings yet.
  • You have a private approval list in your admin area, under "ML Doctors". It shows each waiting doctor's name, email and MP number, with Approve and Decline buttons. You check the MP number on the HPCSA register, then click Approve. Approving unlocks the recordings for that doctor and emails them.
  • The MP numbers and details are only visible to you in that list.
  • I tested the whole flow and the site stayed healthy with no errors. I left a test sign-up, "Dr Jane Smith", waiting in your list so you can try the Approve button.

The one open item: reliable email

  • The approval email, and a future "forgot password" email, need proper email delivery to reliably reach doctors. Your site does not have that switched on yet. Approving still works, the email just may not arrive until we connect a sender (SendGrid, which is free at this volume). I can switch that on quickly once you have a SendGrid key.

Follow-ups after step 2

  • Connect SendGrid so approval and password emails reliably reach doctors.
  • Step 4 polish later: "forgot password", stay-signed-in, and a quiet record of who approved whom.
  • Remove the two test accounts before go-live.