mirror of
https://github.com/cisagov/manage.get.gov.git
synced 2025-08-03 08:22:18 +02:00
Merge branch 'main' into gd/2354-handle-portfolio-edit-mode
This commit is contained in:
commit
1053efc68c
23 changed files with 909 additions and 82 deletions
|
@ -9,6 +9,8 @@ from django.db.models.functions import Concat, Coalesce
|
|||
from django.http import HttpResponseRedirect
|
||||
from django.shortcuts import redirect
|
||||
from django_fsm import get_available_FIELD_transitions, FSMField
|
||||
from registrar.models.domain_group import DomainGroup
|
||||
from registrar.models.suborganization import Suborganization
|
||||
from waffle.decorators import flag_is_active
|
||||
from django.contrib import admin, messages
|
||||
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
|
||||
|
@ -35,6 +37,7 @@ from django_admin_multiple_choice_list_filter.list_filters import MultipleChoice
|
|||
from import_export import resources
|
||||
from import_export.admin import ImportExportModelAdmin
|
||||
from django.core.exceptions import ObjectDoesNotExist
|
||||
from django.contrib.admin.widgets import FilteredSelectMultiple
|
||||
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
|
@ -90,6 +93,31 @@ class UserResource(resources.ModelResource):
|
|||
model = models.User
|
||||
|
||||
|
||||
class FilteredSelectMultipleArrayWidget(FilteredSelectMultiple):
|
||||
"""Custom widget to allow for editing an ArrayField in a widget similar to filter_horizontal widget"""
|
||||
|
||||
def __init__(self, verbose_name, is_stacked=False, choices=(), **kwargs):
|
||||
super().__init__(verbose_name, is_stacked, **kwargs)
|
||||
self.choices = choices
|
||||
|
||||
def value_from_datadict(self, data, files, name):
|
||||
values = super().value_from_datadict(data, files, name)
|
||||
return values or []
|
||||
|
||||
def get_context(self, name, value, attrs):
|
||||
if value is None:
|
||||
value = []
|
||||
elif isinstance(value, str):
|
||||
value = value.split(",")
|
||||
# alter self.choices to be a list of selected and unselected choices, based on value;
|
||||
# order such that selected choices come before unselected choices
|
||||
self.choices = [(choice, label) for choice, label in self.choices if choice in value] + [
|
||||
(choice, label) for choice, label in self.choices if choice not in value
|
||||
]
|
||||
context = super().get_context(name, value, attrs)
|
||||
return context
|
||||
|
||||
|
||||
class MyUserAdminForm(UserChangeForm):
|
||||
"""This form utilizes the custom widget for its class's ManyToMany UIs.
|
||||
|
||||
|
@ -102,6 +130,14 @@ class MyUserAdminForm(UserChangeForm):
|
|||
widgets = {
|
||||
"groups": NoAutocompleteFilteredSelectMultiple("groups", False),
|
||||
"user_permissions": NoAutocompleteFilteredSelectMultiple("user_permissions", False),
|
||||
"portfolio_roles": FilteredSelectMultipleArrayWidget(
|
||||
"portfolio_roles", is_stacked=False, choices=User.UserPortfolioRoleChoices.choices
|
||||
),
|
||||
"portfolio_additional_permissions": FilteredSelectMultipleArrayWidget(
|
||||
"portfolio_additional_permissions",
|
||||
is_stacked=False,
|
||||
choices=User.UserPortfolioPermissionChoices.choices,
|
||||
),
|
||||
}
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
|
@ -652,18 +688,49 @@ class MyUserAdmin(BaseUserAdmin, ImportExportModelAdmin):
|
|||
"is_superuser",
|
||||
"groups",
|
||||
"user_permissions",
|
||||
"portfolio",
|
||||
"portfolio_roles",
|
||||
"portfolio_additional_permissions",
|
||||
)
|
||||
},
|
||||
),
|
||||
("Important dates", {"fields": ("last_login", "date_joined")}),
|
||||
)
|
||||
|
||||
autocomplete_fields = [
|
||||
"portfolio",
|
||||
]
|
||||
|
||||
readonly_fields = ("verification_type",)
|
||||
|
||||
# Hide Username (uuid), Groups and Permissions
|
||||
# Q: Now that we're using Groups and Permissions,
|
||||
# do we expose those to analysts to view?
|
||||
analyst_fieldsets = (
|
||||
(
|
||||
None,
|
||||
{
|
||||
"fields": (
|
||||
"status",
|
||||
"verification_type",
|
||||
)
|
||||
},
|
||||
),
|
||||
("User profile", {"fields": ("first_name", "middle_name", "last_name", "title", "email", "phone")}),
|
||||
(
|
||||
"Permissions",
|
||||
{
|
||||
"fields": (
|
||||
"is_active",
|
||||
"groups",
|
||||
"portfolio",
|
||||
"portfolio_roles",
|
||||
"portfolio_additional_permissions",
|
||||
)
|
||||
},
|
||||
),
|
||||
("Important dates", {"fields": ("last_login", "date_joined")}),
|
||||
)
|
||||
|
||||
# TODO: delete after we merge organization feature
|
||||
analyst_fieldsets_no_portfolio = (
|
||||
(
|
||||
None,
|
||||
{
|
||||
|
@ -710,6 +777,26 @@ class MyUserAdmin(BaseUserAdmin, ImportExportModelAdmin):
|
|||
"Important dates",
|
||||
"last_login",
|
||||
"date_joined",
|
||||
"portfolio",
|
||||
"portfolio_roles",
|
||||
"portfolio_additional_permissions",
|
||||
]
|
||||
|
||||
# TODO: delete after we merge organization feature
|
||||
analyst_readonly_fields_no_portfolio = [
|
||||
"User profile",
|
||||
"first_name",
|
||||
"middle_name",
|
||||
"last_name",
|
||||
"title",
|
||||
"email",
|
||||
"phone",
|
||||
"Permissions",
|
||||
"is_active",
|
||||
"groups",
|
||||
"Important dates",
|
||||
"last_login",
|
||||
"date_joined",
|
||||
]
|
||||
|
||||
list_filter = (
|
||||
|
@ -784,8 +871,12 @@ class MyUserAdmin(BaseUserAdmin, ImportExportModelAdmin):
|
|||
# Show all fields for all access users
|
||||
return super().get_fieldsets(request, obj)
|
||||
elif request.user.has_perm("registrar.analyst_access_permission"):
|
||||
# show analyst_fieldsets for analysts
|
||||
return self.analyst_fieldsets
|
||||
if flag_is_active(request, "organization_feature"):
|
||||
# show analyst_fieldsets for analysts
|
||||
return self.analyst_fieldsets
|
||||
else:
|
||||
# TODO: delete after we merge organization feature
|
||||
return self.analyst_fieldsets_no_portfolio
|
||||
else:
|
||||
# any admin user should belong to either full_access_group
|
||||
# or cisa_analyst_group
|
||||
|
@ -799,7 +890,11 @@ class MyUserAdmin(BaseUserAdmin, ImportExportModelAdmin):
|
|||
else:
|
||||
# Return restrictive Read-only fields for analysts and
|
||||
# users who might not belong to groups
|
||||
return self.analyst_readonly_fields
|
||||
if flag_is_active(request, "organization_feature"):
|
||||
return self.analyst_readonly_fields
|
||||
else:
|
||||
# TODO: delete after we merge organization feature
|
||||
return self.analyst_readonly_fields_no_portfolio
|
||||
|
||||
def change_view(self, request, object_id, form_url="", extra_context=None):
|
||||
"""Add user's related domains and requests to context"""
|
||||
|
@ -1002,6 +1097,16 @@ class ContactAdmin(ListHeaderAdmin, ImportExportModelAdmin):
|
|||
# Get the filtered values
|
||||
return super().changelist_view(request, extra_context=extra_context)
|
||||
|
||||
def save_model(self, request, obj, form, change):
|
||||
# Clear warning messages before saving
|
||||
storage = messages.get_messages(request)
|
||||
storage.used = False
|
||||
for message in storage:
|
||||
if message.level == messages.WARNING:
|
||||
storage.used = True
|
||||
|
||||
return super().save_model(request, obj, form, change)
|
||||
|
||||
|
||||
class SeniorOfficialAdmin(ListHeaderAdmin):
|
||||
"""Custom Senior Official Admin class."""
|
||||
|
@ -1286,10 +1391,11 @@ class DomainInformationAdmin(ListHeaderAdmin, ImportExportModelAdmin):
|
|||
]
|
||||
|
||||
# Readonly fields for analysts and superusers
|
||||
readonly_fields = ("other_contacts", "is_election_board", "federal_agency")
|
||||
readonly_fields = ("other_contacts", "is_election_board")
|
||||
|
||||
# Read only that we'll leverage for CISA Analysts
|
||||
analyst_readonly_fields = [
|
||||
"federal_agency",
|
||||
"creator",
|
||||
"type_of_work",
|
||||
"more_organization_information",
|
||||
|
@ -1602,12 +1708,12 @@ class DomainRequestAdmin(ListHeaderAdmin, ImportExportModelAdmin):
|
|||
"current_websites",
|
||||
"alternative_domains",
|
||||
"is_election_board",
|
||||
"federal_agency",
|
||||
"status_history",
|
||||
)
|
||||
|
||||
# Read only that we'll leverage for CISA Analysts
|
||||
analyst_readonly_fields = [
|
||||
"federal_agency",
|
||||
"creator",
|
||||
"about_your_organization",
|
||||
"requested_domain",
|
||||
|
@ -2660,26 +2766,38 @@ class VerifiedByStaffAdmin(ListHeaderAdmin):
|
|||
|
||||
|
||||
class PortfolioAdmin(ListHeaderAdmin):
|
||||
# NOTE: these are just placeholders. Not part of ACs (haven't been defined yet). Update in future tickets.
|
||||
|
||||
change_form_template = "django/admin/portfolio_change_form.html"
|
||||
|
||||
list_display = ("organization_name", "federal_agency", "creator")
|
||||
search_fields = ["organization_name"]
|
||||
search_help_text = "Search by organization name."
|
||||
# readonly_fields = [
|
||||
# "requestor",
|
||||
# ]
|
||||
|
||||
# Creates select2 fields (with search bars)
|
||||
autocomplete_fields = [
|
||||
"creator",
|
||||
"federal_agency",
|
||||
]
|
||||
|
||||
def change_view(self, request, object_id, form_url="", extra_context=None):
|
||||
"""Add related suborganizations and domain groups"""
|
||||
obj = self.get_object(request, object_id)
|
||||
|
||||
# ---- Domain Groups
|
||||
domain_groups = DomainGroup.objects.filter(portfolio=obj)
|
||||
|
||||
# ---- Suborganizations
|
||||
suborganizations = Suborganization.objects.filter(portfolio=obj)
|
||||
|
||||
extra_context = {"domain_groups": domain_groups, "suborganizations": suborganizations}
|
||||
return super().change_view(request, object_id, form_url, extra_context)
|
||||
|
||||
def save_model(self, request, obj, form, change):
|
||||
|
||||
if obj.creator is not None:
|
||||
# ---- update creator ----
|
||||
# Set the creator field to the current admin user
|
||||
obj.creator = request.user if request.user.is_authenticated else None
|
||||
|
||||
# ---- update organization name ----
|
||||
# org name will be the same as federal agency, if it is federal,
|
||||
# otherwise it will be the actual org name. If nothing is entered for
|
||||
|
@ -2688,7 +2806,6 @@ class PortfolioAdmin(ListHeaderAdmin):
|
|||
is_federal = obj.organization_type == DomainRequest.OrganizationChoices.FEDERAL
|
||||
if is_federal and obj.organization_name is None:
|
||||
obj.organization_name = obj.federal_agency.agency
|
||||
|
||||
super().save_model(request, obj, form, change)
|
||||
|
||||
|
||||
|
|
|
@ -305,6 +305,8 @@ function addOrRemoveSessionBoolean(name, add){
|
|||
// "to" select list
|
||||
checkToListThenInitWidget('id_groups_to', 0);
|
||||
checkToListThenInitWidget('id_user_permissions_to', 0);
|
||||
checkToListThenInitWidget('id_portfolio_roles_to', 0);
|
||||
checkToListThenInitWidget('id_portfolio_additional_permissions_to', 0);
|
||||
})();
|
||||
|
||||
// Function to check for the existence of the "to" select list element in the DOM, and if and when found,
|
||||
|
|
|
@ -657,6 +657,34 @@ function hideDeletedForms() {
|
|||
});
|
||||
}
|
||||
|
||||
// Checks for if we want to display Urbanization or not
|
||||
document.addEventListener('DOMContentLoaded', function() {
|
||||
var stateTerritoryField = document.querySelector('select[name="organization_contact-state_territory"]');
|
||||
|
||||
if (!stateTerritoryField) {
|
||||
return; // Exit if the field not found
|
||||
}
|
||||
|
||||
setupUrbanizationToggle(stateTerritoryField);
|
||||
});
|
||||
|
||||
function setupUrbanizationToggle(stateTerritoryField) {
|
||||
var urbanizationField = document.getElementById('urbanization-field');
|
||||
|
||||
function toggleUrbanizationField() {
|
||||
// Checking specifically for Puerto Rico only
|
||||
if (stateTerritoryField.value === 'PR') {
|
||||
urbanizationField.style.display = 'block';
|
||||
} else {
|
||||
urbanizationField.style.display = 'none';
|
||||
}
|
||||
}
|
||||
|
||||
toggleUrbanizationField();
|
||||
|
||||
stateTerritoryField.addEventListener('change', toggleUrbanizationField);
|
||||
}
|
||||
|
||||
/**
|
||||
* An IIFE that attaches a click handler for our dynamic formsets
|
||||
*
|
||||
|
|
|
@ -244,6 +244,7 @@ TEMPLATES = [
|
|||
"registrar.context_processors.add_portfolio_to_context",
|
||||
"registrar.context_processors.add_path_to_context",
|
||||
"registrar.context_processors.add_has_profile_feature_flag_to_context",
|
||||
"registrar.context_processors.portfolio_permissions",
|
||||
],
|
||||
},
|
||||
},
|
||||
|
|
|
@ -25,7 +25,7 @@ from registrar.views.domain_request import Step
|
|||
from registrar.views.domain_requests_json import get_domain_requests_json
|
||||
from registrar.views.domains_json import get_domains_json
|
||||
from registrar.views.utility import always_404
|
||||
from registrar.views.portfolios import portfolio_domains, portfolio_domain_requests
|
||||
from registrar.views.portfolios import PortfolioDomainsView, PortfolioDomainRequestsView, PortfolioOrganizationView
|
||||
from api.views import available, get_current_federal, get_current_full
|
||||
|
||||
|
||||
|
@ -61,14 +61,19 @@ urlpatterns = [
|
|||
path("", views.index, name="home"),
|
||||
path(
|
||||
"portfolio/<int:portfolio_id>/domains/",
|
||||
portfolio_domains,
|
||||
PortfolioDomainsView.as_view(),
|
||||
name="portfolio-domains",
|
||||
),
|
||||
path(
|
||||
"portfolio/<int:portfolio_id>/domain_requests/",
|
||||
portfolio_domain_requests,
|
||||
PortfolioDomainRequestsView.as_view(),
|
||||
name="portfolio-domain-requests",
|
||||
),
|
||||
path(
|
||||
"portfolio/<int:portfolio_id>/organization/",
|
||||
PortfolioOrganizationView.as_view(),
|
||||
name="portfolio-organization",
|
||||
),
|
||||
path(
|
||||
"admin/logout/",
|
||||
RedirectView.as_view(pattern_name="logout", permanent=False),
|
||||
|
|
|
@ -60,3 +60,26 @@ def add_path_to_context(request):
|
|||
|
||||
def add_has_profile_feature_flag_to_context(request):
|
||||
return {"has_profile_feature_flag": flag_is_active(request, "profile_feature")}
|
||||
|
||||
|
||||
def portfolio_permissions(request):
|
||||
"""Make portfolio permissions for the request user available in global context"""
|
||||
try:
|
||||
if not request.user or not request.user.is_authenticated:
|
||||
return {
|
||||
"has_base_portfolio_permission": False,
|
||||
"has_domains_portfolio_permission": False,
|
||||
"has_domain_requests_portfolio_permission": False,
|
||||
}
|
||||
return {
|
||||
"has_base_portfolio_permission": request.user.has_base_portfolio_permission(),
|
||||
"has_domains_portfolio_permission": request.user.has_domains_portfolio_permission(),
|
||||
"has_domain_requests_portfolio_permission": request.user.has_domain_requests_portfolio_permission(),
|
||||
}
|
||||
except AttributeError:
|
||||
# Handles cases where request.user might not exist
|
||||
return {
|
||||
"has_base_portfolio_permission": False,
|
||||
"has_domains_portfolio_permission": False,
|
||||
"has_domain_requests_portfolio_permission": False,
|
||||
}
|
||||
|
|
|
@ -0,0 +1,80 @@
|
|||
# Generated by Django 4.2.10 on 2024-07-22 19:19
|
||||
|
||||
from django.conf import settings
|
||||
import django.contrib.postgres.fields
|
||||
from django.db import migrations, models
|
||||
import django.db.models.deletion
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
("registrar", "0112_remove_contact_registrar_c_user_id_4059c4_idx_and_more"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name="user",
|
||||
name="portfolio",
|
||||
field=models.ForeignKey(
|
||||
blank=True,
|
||||
null=True,
|
||||
on_delete=django.db.models.deletion.SET_NULL,
|
||||
related_name="user",
|
||||
to="registrar.portfolio",
|
||||
),
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name="user",
|
||||
name="portfolio_additional_permissions",
|
||||
field=django.contrib.postgres.fields.ArrayField(
|
||||
base_field=models.CharField(
|
||||
choices=[
|
||||
("view_all_domains", "View all domains and domain reports"),
|
||||
("view_managed_domains", "View managed domains"),
|
||||
("edit_domains", "User is a manager on a domain"),
|
||||
("view_member", "View members"),
|
||||
("edit_member", "Create and edit members"),
|
||||
("view_all_requests", "View all requests"),
|
||||
("view_created_requests", "View created requests"),
|
||||
("edit_requests", "Create and edit requests"),
|
||||
("view_portfolio", "View organization"),
|
||||
("edit_portfolio", "Edit organization"),
|
||||
],
|
||||
max_length=50,
|
||||
),
|
||||
blank=True,
|
||||
help_text="Select one or more additional permissions.",
|
||||
null=True,
|
||||
size=None,
|
||||
),
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name="user",
|
||||
name="portfolio_roles",
|
||||
field=django.contrib.postgres.fields.ArrayField(
|
||||
base_field=models.CharField(
|
||||
choices=[
|
||||
("organization_admin", "Admin"),
|
||||
("organization_admin_read_only", "Admin read only"),
|
||||
("organization_member", "Member"),
|
||||
],
|
||||
max_length=50,
|
||||
),
|
||||
blank=True,
|
||||
help_text="Select one or more roles.",
|
||||
null=True,
|
||||
size=None,
|
||||
),
|
||||
),
|
||||
migrations.AlterField(
|
||||
model_name="portfolio",
|
||||
name="creator",
|
||||
field=models.ForeignKey(
|
||||
help_text="Associated user",
|
||||
on_delete=django.db.models.deletion.PROTECT,
|
||||
related_name="created_portfolios",
|
||||
to=settings.AUTH_USER_MODEL,
|
||||
),
|
||||
),
|
||||
]
|
|
@ -23,7 +23,13 @@ class Portfolio(TimeStampedModel):
|
|||
|
||||
# Stores who created this model. If no creator is specified in DJA,
|
||||
# then the creator will default to the current request user"""
|
||||
creator = models.ForeignKey("registrar.User", on_delete=models.PROTECT, help_text="Associated user", unique=False)
|
||||
creator = models.ForeignKey(
|
||||
"registrar.User",
|
||||
on_delete=models.PROTECT,
|
||||
help_text="Associated user",
|
||||
related_name="created_portfolios",
|
||||
unique=False,
|
||||
)
|
||||
|
||||
notes = models.TextField(
|
||||
null=True,
|
||||
|
|
|
@ -4,7 +4,6 @@ from django.contrib.auth.models import AbstractUser
|
|||
from django.db import models
|
||||
from django.db.models import Q
|
||||
|
||||
from registrar.models.portfolio import Portfolio
|
||||
from registrar.models.user_domain_role import UserDomainRole
|
||||
|
||||
from .domain_invitation import DomainInvitation
|
||||
|
@ -12,6 +11,7 @@ from .transition_domain import TransitionDomain
|
|||
from .verified_by_staff import VerifiedByStaff
|
||||
from .domain import Domain
|
||||
from .domain_request import DomainRequest
|
||||
from django.contrib.postgres.fields import ArrayField
|
||||
from waffle.decorators import flag_is_active
|
||||
|
||||
from phonenumber_field.modelfields import PhoneNumberField # type: ignore
|
||||
|
@ -62,6 +62,57 @@ class User(AbstractUser):
|
|||
# after they login.
|
||||
FIXTURE_USER = "fixture_user", "Created by fixtures"
|
||||
|
||||
class UserPortfolioRoleChoices(models.TextChoices):
|
||||
"""
|
||||
Roles make it easier for admins to look at
|
||||
"""
|
||||
|
||||
ORGANIZATION_ADMIN = "organization_admin", "Admin"
|
||||
ORGANIZATION_ADMIN_READ_ONLY = "organization_admin_read_only", "Admin read only"
|
||||
ORGANIZATION_MEMBER = "organization_member", "Member"
|
||||
|
||||
class UserPortfolioPermissionChoices(models.TextChoices):
|
||||
""" """
|
||||
|
||||
VIEW_ALL_DOMAINS = "view_all_domains", "View all domains and domain reports"
|
||||
VIEW_MANAGED_DOMAINS = "view_managed_domains", "View managed domains"
|
||||
# EDIT_DOMAINS is really self.domains. We add is hear and leverage it in has_permission
|
||||
# so we have one way to test for portfolio and domain edit permissions
|
||||
# Do we need to check for portfolio domains specifically?
|
||||
# NOTE: A user on an org can currently invite a user outside the org
|
||||
EDIT_DOMAINS = "edit_domains", "User is a manager on a domain"
|
||||
|
||||
VIEW_MEMBER = "view_member", "View members"
|
||||
EDIT_MEMBER = "edit_member", "Create and edit members"
|
||||
|
||||
VIEW_ALL_REQUESTS = "view_all_requests", "View all requests"
|
||||
VIEW_CREATED_REQUESTS = "view_created_requests", "View created requests"
|
||||
EDIT_REQUESTS = "edit_requests", "Create and edit requests"
|
||||
|
||||
VIEW_PORTFOLIO = "view_portfolio", "View organization"
|
||||
EDIT_PORTFOLIO = "edit_portfolio", "Edit organization"
|
||||
|
||||
PORTFOLIO_ROLE_PERMISSIONS = {
|
||||
UserPortfolioRoleChoices.ORGANIZATION_ADMIN: [
|
||||
UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS,
|
||||
UserPortfolioPermissionChoices.VIEW_MEMBER,
|
||||
UserPortfolioPermissionChoices.EDIT_MEMBER,
|
||||
UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS,
|
||||
UserPortfolioPermissionChoices.EDIT_REQUESTS,
|
||||
UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
|
||||
UserPortfolioPermissionChoices.EDIT_PORTFOLIO,
|
||||
],
|
||||
UserPortfolioRoleChoices.ORGANIZATION_ADMIN_READ_ONLY: [
|
||||
UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS,
|
||||
UserPortfolioPermissionChoices.VIEW_MEMBER,
|
||||
UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS,
|
||||
UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
|
||||
],
|
||||
UserPortfolioRoleChoices.ORGANIZATION_MEMBER: [
|
||||
UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
|
||||
],
|
||||
}
|
||||
|
||||
# #### Constants for choice fields ####
|
||||
RESTRICTED = "restricted"
|
||||
STATUS_CHOICES = ((RESTRICTED, RESTRICTED),)
|
||||
|
@ -82,6 +133,34 @@ class User(AbstractUser):
|
|||
related_name="users",
|
||||
)
|
||||
|
||||
portfolio = models.ForeignKey(
|
||||
"registrar.Portfolio",
|
||||
null=True,
|
||||
blank=True,
|
||||
related_name="user",
|
||||
on_delete=models.SET_NULL,
|
||||
)
|
||||
|
||||
portfolio_roles = ArrayField(
|
||||
models.CharField(
|
||||
max_length=50,
|
||||
choices=UserPortfolioRoleChoices.choices,
|
||||
),
|
||||
null=True,
|
||||
blank=True,
|
||||
help_text="Select one or more roles.",
|
||||
)
|
||||
|
||||
portfolio_additional_permissions = ArrayField(
|
||||
models.CharField(
|
||||
max_length=50,
|
||||
choices=UserPortfolioPermissionChoices.choices,
|
||||
),
|
||||
null=True,
|
||||
blank=True,
|
||||
help_text="Select one or more additional permissions.",
|
||||
)
|
||||
|
||||
phone = PhoneNumberField(
|
||||
null=True,
|
||||
blank=True,
|
||||
|
@ -172,6 +251,57 @@ class User(AbstractUser):
|
|||
def has_contact_info(self):
|
||||
return bool(self.title or self.email or self.phone)
|
||||
|
||||
def _get_portfolio_permissions(self):
|
||||
"""
|
||||
Retrieve the permissions for the user's portfolio roles.
|
||||
"""
|
||||
portfolio_permissions = set() # Use a set to avoid duplicate permissions
|
||||
|
||||
if self.portfolio_roles:
|
||||
for role in self.portfolio_roles:
|
||||
if role in self.PORTFOLIO_ROLE_PERMISSIONS:
|
||||
portfolio_permissions.update(self.PORTFOLIO_ROLE_PERMISSIONS[role])
|
||||
if self.portfolio_additional_permissions:
|
||||
portfolio_permissions.update(self.portfolio_additional_permissions)
|
||||
return list(portfolio_permissions) # Convert back to list if necessary
|
||||
|
||||
def _has_portfolio_permission(self, portfolio_permission):
|
||||
"""The views should only call this function when testing for perms and not rely on roles."""
|
||||
|
||||
# EDIT_DOMAINS === user is a manager on a domain (has UserDomainRole)
|
||||
# NOTE: Should we check whether the domain is in the portfolio?
|
||||
if portfolio_permission == self.UserPortfolioPermissionChoices.EDIT_DOMAINS and self.domains.exists():
|
||||
return True
|
||||
|
||||
if not self.portfolio:
|
||||
return False
|
||||
|
||||
portfolio_permissions = self._get_portfolio_permissions()
|
||||
|
||||
return portfolio_permission in portfolio_permissions
|
||||
|
||||
# the methods below are checks for individual portfolio permissions. they are defined here
|
||||
# to make them easier to call elsewhere throughout the application
|
||||
def has_base_portfolio_permission(self):
|
||||
return self._has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO)
|
||||
|
||||
def has_domains_portfolio_permission(self):
|
||||
return (
|
||||
self._has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS)
|
||||
or self._has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_MANAGED_DOMAINS)
|
||||
# or self._has_portfolio_permission(User.UserPortfolioPermissionChoices.EDIT_DOMAINS)
|
||||
)
|
||||
|
||||
def has_edit_domains_portfolio_permission(self):
|
||||
return self._has_portfolio_permission(User.UserPortfolioPermissionChoices.EDIT_DOMAINS)
|
||||
|
||||
def has_domain_requests_portfolio_permission(self):
|
||||
return (
|
||||
self._has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS)
|
||||
or self._has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_CREATED_REQUESTS)
|
||||
# or self._has_portfolio_permission(User.UserPortfolioPermissionChoices.EDIT_REQUESTS)
|
||||
)
|
||||
|
||||
@classmethod
|
||||
def needs_identity_verification(cls, email, uuid):
|
||||
"""A method used by our oidc classes to test whether a user needs email/uuid verification
|
||||
|
@ -293,6 +423,4 @@ class User(AbstractUser):
|
|||
|
||||
def is_org_user(self, request):
|
||||
has_organization_feature_flag = flag_is_active(request, "organization_feature")
|
||||
user_portfolios_exist = Portfolio.objects.filter(creator=self).exists()
|
||||
|
||||
return has_organization_feature_flag and user_portfolios_exist
|
||||
return has_organization_feature_flag and self.has_base_portfolio_permission()
|
||||
|
|
|
@ -6,7 +6,6 @@ import logging
|
|||
from urllib.parse import parse_qs
|
||||
from django.urls import reverse
|
||||
from django.http import HttpResponseRedirect
|
||||
from registrar.models.portfolio import Portfolio
|
||||
from registrar.models.user import User
|
||||
from waffle.decorators import flag_is_active
|
||||
|
||||
|
@ -141,16 +140,20 @@ class CheckPortfolioMiddleware:
|
|||
def process_view(self, request, view_func, view_args, view_kwargs):
|
||||
current_path = request.path
|
||||
|
||||
if request.user.is_authenticated and request.user.is_org_user(request):
|
||||
user_portfolios = Portfolio.objects.filter(creator=request.user)
|
||||
first_portfolio = user_portfolios.first()
|
||||
if current_path == self.home and request.user.is_authenticated and request.user.is_org_user(request):
|
||||
|
||||
if request.user.has_base_portfolio_permission():
|
||||
portfolio = request.user.portfolio
|
||||
|
||||
if first_portfolio:
|
||||
# Add the portfolio to the request object
|
||||
request.portfolio = first_portfolio
|
||||
request.portfolio = portfolio
|
||||
|
||||
if current_path == self.home:
|
||||
home_with_portfolio = reverse("portfolio-domains", kwargs={"portfolio_id": first_portfolio.id})
|
||||
return HttpResponseRedirect(home_with_portfolio)
|
||||
if request.user.has_domains_portfolio_permission():
|
||||
portfolio_redirect = reverse("portfolio-domains", kwargs={"portfolio_id": portfolio.id})
|
||||
else:
|
||||
# View organization is the lowest access
|
||||
portfolio_redirect = reverse("portfolio-organization", kwargs={"portfolio_id": portfolio.id})
|
||||
|
||||
return HttpResponseRedirect(portfolio_redirect)
|
||||
|
||||
return None
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
{% extends 'django/admin/email_clipboard_change_form.html' %}
|
||||
{% load i18n static %}
|
||||
|
||||
{% block after_related_objects %}
|
||||
<div class="module aligned padding-3">
|
||||
<h2>Associated groups and suborganizations</h2>
|
||||
<div class="grid-row grid-gap mobile:padding-x-1 desktop:padding-x-4">
|
||||
<div class="mobile:grid-col-12 tablet:grid-col-6 desktop:grid-col-4">
|
||||
<h3>Domain groups</h3>
|
||||
<ul class="margin-0 padding-0">
|
||||
{% for domain_group in domain_groups %}
|
||||
<li>
|
||||
<a href="{% url 'admin:registrar_domaingroup_change' domain_group.pk %}">
|
||||
{{ domain_group.name }}
|
||||
</a>
|
||||
</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
</div>
|
||||
<div class="mobile:grid-col-12 tablet:grid-col-6 desktop:grid-col-4">
|
||||
<h3>Suborganizations</h3>
|
||||
<ul class="margin-0 padding-0">
|
||||
{% for suborg in suborganizations %}
|
||||
<li>
|
||||
<a href="{% url 'admin:registrar_suborganization_change' suborg.pk %}">
|
||||
{{ suborg.name }}
|
||||
</a>
|
||||
</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% endblock %}
|
|
@ -1,5 +1,5 @@
|
|||
{% extends 'domain_request_form.html' %}
|
||||
{% load field_helpers url_helpers %}
|
||||
{% load field_helpers url_helpers static %}
|
||||
|
||||
{% block form_instructions %}
|
||||
<p>If your domain request is approved, the name of your organization and your city/state will be listed in <a href="{% public_site_url 'about/data/' %}" target="_blank">.gov’s public data.</a></p>
|
||||
|
@ -37,7 +37,12 @@
|
|||
{% input_with_errors forms.0.zipcode %}
|
||||
{% endwith %}
|
||||
|
||||
{% input_with_errors forms.0.urbanization %}
|
||||
<div id="urbanization-field" style="display: none;">
|
||||
{% input_with_errors forms.0.urbanization %}
|
||||
</div>
|
||||
|
||||
</fieldset>
|
||||
{% endblock %}
|
||||
|
||||
<script src="{% static 'js/get-gov.js' %}" defer></script>
|
||||
|
||||
|
|
|
@ -12,31 +12,36 @@
|
|||
<img src="{%static 'img/usa-icons/close.svg'%}" role="img" alt="Close" />
|
||||
</button>
|
||||
<ul class="usa-nav__primary usa-accordion">
|
||||
<li class="usa-nav__primary-item">
|
||||
{% url 'portfolio-domains' portfolio.id as url %}
|
||||
<a href="{{ url }}" class="usa-nav-link{% if request.path == url %} usa-current{% endif %}">
|
||||
Domains
|
||||
</a>
|
||||
</li>
|
||||
{% if has_domains_portfolio_permission %}
|
||||
<li class="usa-nav__primary-item">
|
||||
{% url 'portfolio-domains' portfolio.id as url %}
|
||||
<a href="{{ url }}" class="usa-nav-link{% if request.path == url %} usa-current{% endif %}">
|
||||
Domains
|
||||
</a>
|
||||
</li>
|
||||
{% endif %}
|
||||
<li class="usa-nav__primary-item">
|
||||
<a href="#" class="usa-nav-link">
|
||||
Domain groups
|
||||
</a>
|
||||
</li>
|
||||
<li class="usa-nav__primary-item">
|
||||
{% url 'portfolio-domain-requests' portfolio.id as url %}
|
||||
<a href="{{ url }}" class="usa-nav-link{% if request.path == url %} usa-current{% endif %}">
|
||||
Domain requests
|
||||
</a>
|
||||
</li>
|
||||
{% if has_domain_requests_portfolio_permission %}
|
||||
<li class="usa-nav__primary-item">
|
||||
{% url 'portfolio-domain-requests' portfolio.id as url %}
|
||||
<a href="{{ url }}" class="usa-nav-link{% if request.path == url %} usa-current{% endif %}">
|
||||
Domain requests
|
||||
</a>
|
||||
</li>
|
||||
{% endif %}
|
||||
<li class="usa-nav__primary-item">
|
||||
<a href="#" class="usa-nav-link">
|
||||
Members
|
||||
</a>
|
||||
</li>
|
||||
<li class="usa-nav__primary-item">
|
||||
{% url 'portfolio-organization' portfolio.id as url %}
|
||||
<!-- Move the padding from the a to the span so that the descenders do not get cut off -->
|
||||
<a href="#" class="usa-nav-link padding-y-0">
|
||||
<a href="{{ url }}" class="usa-nav-link padding-y-0">
|
||||
<span class="ellipsis ellipsis--23 ellipsis--desktop-50 padding-y-1 desktop:padding-y-2">
|
||||
{{ portfolio.organization_name }}
|
||||
</span>
|
||||
|
|
8
src/registrar/templates/portfolio_organization.html
Normal file
8
src/registrar/templates/portfolio_organization.html
Normal file
|
@ -0,0 +1,8 @@
|
|||
{% extends 'portfolio_base.html' %}
|
||||
|
||||
{% load static %}
|
||||
|
||||
{% block portfolio_content %}
|
||||
<h1>Organization</h1>
|
||||
|
||||
{% endblock %}
|
|
@ -2305,7 +2305,6 @@ class TestDomainRequestAdmin(MockEppLib):
|
|||
"current_websites",
|
||||
"alternative_domains",
|
||||
"is_election_board",
|
||||
"federal_agency",
|
||||
"status_history",
|
||||
"id",
|
||||
"created_at",
|
||||
|
@ -2366,8 +2365,8 @@ class TestDomainRequestAdmin(MockEppLib):
|
|||
"current_websites",
|
||||
"alternative_domains",
|
||||
"is_election_board",
|
||||
"federal_agency",
|
||||
"status_history",
|
||||
"federal_agency",
|
||||
"creator",
|
||||
"about_your_organization",
|
||||
"requested_domain",
|
||||
|
@ -2397,7 +2396,6 @@ class TestDomainRequestAdmin(MockEppLib):
|
|||
"current_websites",
|
||||
"alternative_domains",
|
||||
"is_election_board",
|
||||
"federal_agency",
|
||||
"status_history",
|
||||
]
|
||||
|
||||
|
@ -3659,7 +3657,15 @@ class TestMyUserAdmin(MockDb):
|
|||
},
|
||||
),
|
||||
("User profile", {"fields": ("first_name", "middle_name", "last_name", "title", "email", "phone")}),
|
||||
("Permissions", {"fields": ("is_active", "groups")}),
|
||||
(
|
||||
"Permissions",
|
||||
{
|
||||
"fields": (
|
||||
"is_active",
|
||||
"groups",
|
||||
)
|
||||
},
|
||||
),
|
||||
("Important dates", {"fields": ("last_login", "date_joined")}),
|
||||
)
|
||||
self.assertEqual(fieldsets, expected_fieldsets)
|
||||
|
@ -3755,6 +3761,22 @@ class TestMyUserAdmin(MockDb):
|
|||
expected_href = reverse("admin:registrar_domain_change", args=[domain_deleted.pk])
|
||||
self.assertNotContains(response, expected_href)
|
||||
|
||||
def test_analyst_cannot_see_selects_for_portfolio_role_and_permissions_in_user_form(self):
|
||||
"""Can only test for the presence of a base element. The multiselects and the h2->h3 conversion are all
|
||||
dynamically generated."""
|
||||
|
||||
p = "userpass"
|
||||
self.client.login(username="staffuser", password=p)
|
||||
response = self.client.get(
|
||||
"/admin/registrar/user/{}/change/".format(self.meoward_user.id),
|
||||
follow=True,
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
self.assertNotContains(response, "Portfolio roles:")
|
||||
self.assertNotContains(response, "Portfolio additional permissions:")
|
||||
|
||||
|
||||
class AuditedAdminTest(TestCase):
|
||||
def setUp(self):
|
||||
|
|
|
@ -19,6 +19,7 @@ from registrar.models import (
|
|||
)
|
||||
|
||||
import boto3_mocking
|
||||
from registrar.models.portfolio import Portfolio
|
||||
from registrar.models.transition_domain import TransitionDomain
|
||||
from registrar.models.verified_by_staff import VerifiedByStaff # type: ignore
|
||||
from registrar.utility.constants import BranchChoices
|
||||
|
@ -1214,6 +1215,68 @@ class TestUser(TestCase):
|
|||
self.user.phone = None
|
||||
self.assertFalse(self.user.has_contact_info())
|
||||
|
||||
def test_has_portfolio_permission(self):
|
||||
"""
|
||||
0. Returns False when user does not have a permission
|
||||
1. Returns False when a user does not have a portfolio
|
||||
2. Returns True when user has direct permission
|
||||
3. Returns True when user has permission through a role
|
||||
4. Returns True EDIT_DOMAINS when user does not have the perm but has UserDomainRole
|
||||
|
||||
Note: This tests _get_portfolio_permissions as a side effect
|
||||
"""
|
||||
portfolio, _ = Portfolio.objects.get_or_create(creator=self.user, organization_name="Hotel California")
|
||||
|
||||
self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS]
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
|
||||
user_can_view_all_domains = self.user.has_domains_portfolio_permission()
|
||||
user_can_view_all_requests = self.user.has_domain_requests_portfolio_permission()
|
||||
user_can_edit_domains = self.user.has_edit_domains_portfolio_permission()
|
||||
|
||||
self.assertFalse(user_can_view_all_domains)
|
||||
self.assertFalse(user_can_view_all_requests)
|
||||
self.assertFalse(user_can_edit_domains)
|
||||
|
||||
self.user.portfolio = portfolio
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
|
||||
user_can_view_all_domains = self.user.has_domains_portfolio_permission()
|
||||
user_can_view_all_requests = self.user.has_domain_requests_portfolio_permission()
|
||||
user_can_edit_domains = self.user.has_edit_domains_portfolio_permission()
|
||||
|
||||
self.assertTrue(user_can_view_all_domains)
|
||||
self.assertFalse(user_can_view_all_requests)
|
||||
self.assertFalse(user_can_edit_domains)
|
||||
|
||||
self.user.portfolio_roles = [User.UserPortfolioRoleChoices.ORGANIZATION_ADMIN]
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
|
||||
user_can_view_all_domains = self.user.has_domains_portfolio_permission()
|
||||
user_can_view_all_requests = self.user.has_domain_requests_portfolio_permission()
|
||||
user_can_edit_domains = self.user.has_edit_domains_portfolio_permission()
|
||||
|
||||
self.assertTrue(user_can_view_all_domains)
|
||||
self.assertTrue(user_can_view_all_requests)
|
||||
self.assertFalse(user_can_edit_domains)
|
||||
|
||||
UserDomainRole.objects.all().get_or_create(
|
||||
user=self.user, domain=self.domain, role=UserDomainRole.Roles.MANAGER
|
||||
)
|
||||
|
||||
user_can_view_all_domains = self.user.has_domains_portfolio_permission()
|
||||
user_can_view_all_requests = self.user.has_domain_requests_portfolio_permission()
|
||||
user_can_edit_domains = self.user.has_edit_domains_portfolio_permission()
|
||||
|
||||
self.assertTrue(user_can_view_all_domains)
|
||||
self.assertTrue(user_can_view_all_requests)
|
||||
self.assertTrue(user_can_edit_domains)
|
||||
|
||||
Portfolio.objects.all().delete()
|
||||
|
||||
|
||||
class TestContact(TestCase):
|
||||
def setUp(self):
|
||||
|
|
|
@ -559,7 +559,6 @@ class ExportDataTest(MockDb, MockEppLib):
|
|||
csv_file.seek(0)
|
||||
# Read the content into a variable
|
||||
csv_content = csv_file.read()
|
||||
print(csv_content)
|
||||
expected_content = (
|
||||
# Header
|
||||
"Domain request,Status,Domain type,Federal type,"
|
||||
|
|
|
@ -1053,23 +1053,6 @@ class PortfoliosTests(TestWithUser, WebTest):
|
|||
session_id = self.app.cookies[settings.SESSION_COOKIE_NAME]
|
||||
self.app.set_cookie(settings.SESSION_COOKIE_NAME, session_id)
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_middleware_redirects_to_portfolio_homepage(self):
|
||||
"""Tests that a user is redirected to the portfolio homepage when organization_feature is on and
|
||||
a portfolio belongs to the user, test for the special h1s which only exist in that version
|
||||
of the homepage"""
|
||||
self.app.set_user(self.user.username)
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
portfolio_page = self.app.get(reverse("home")).follow()
|
||||
self._set_session_cookie()
|
||||
|
||||
# Assert that we're on the right page
|
||||
self.assertContains(portfolio_page, self.portfolio.organization_name)
|
||||
|
||||
self.assertContains(portfolio_page, '<h1 id="domains-header">Domains</h1>')
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_no_redirect_when_org_flag_false(self):
|
||||
"""No redirect so no follow,
|
||||
|
|
192
src/registrar/tests/test_views_portfolio.py
Normal file
192
src/registrar/tests/test_views_portfolio.py
Normal file
|
@ -0,0 +1,192 @@
|
|||
from django.urls import reverse
|
||||
from api.tests.common import less_console_noise_decorator
|
||||
from registrar.models.portfolio import Portfolio
|
||||
from django_webtest import WebTest # type: ignore
|
||||
from registrar.models import (
|
||||
DomainRequest,
|
||||
Domain,
|
||||
DomainInformation,
|
||||
UserDomainRole,
|
||||
User,
|
||||
)
|
||||
from .test_views import TestWithUser
|
||||
from waffle.testutils import override_flag
|
||||
|
||||
import logging
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class TestPortfolioViews(TestWithUser, WebTest):
|
||||
def setUp(self):
|
||||
super().setUp()
|
||||
self.domain, _ = Domain.objects.get_or_create(name="igorville.gov")
|
||||
self.portfolio, _ = Portfolio.objects.get_or_create(creator=self.user, organization_name="Hotel California")
|
||||
self.role, _ = UserDomainRole.objects.get_or_create(
|
||||
user=self.user, domain=self.domain, role=UserDomainRole.Roles.MANAGER
|
||||
)
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_middleware_does_not_redirect_if_no_permission(self):
|
||||
"""Test that user with no portfolio permission is not redirected when attempting to access home"""
|
||||
self.app.set_user(self.user.username)
|
||||
self.user.portfolio = self.portfolio
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
portfolio_page = self.app.get(reverse("home"))
|
||||
# Assert that we're on the right page
|
||||
self.assertNotContains(portfolio_page, self.portfolio.organization_name)
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_middleware_does_not_redirect_if_no_portfolio(self):
|
||||
"""Test that user with no assigned portfolio is not redirected when attempting to access home"""
|
||||
self.app.set_user(self.user.username)
|
||||
self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO]
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
portfolio_page = self.app.get(reverse("home"))
|
||||
# Assert that we're on the right page
|
||||
self.assertNotContains(portfolio_page, self.portfolio.organization_name)
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_middleware_redirects_to_portfolio_organization_page(self):
|
||||
"""Test that user with VIEW_PORTFOLIO is redirected to portfolio organization page"""
|
||||
self.app.set_user(self.user.username)
|
||||
self.user.portfolio = self.portfolio
|
||||
self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO]
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
portfolio_page = self.app.get(reverse("home")).follow()
|
||||
# Assert that we're on the right page
|
||||
self.assertContains(portfolio_page, self.portfolio.organization_name)
|
||||
self.assertContains(portfolio_page, "<h1>Organization</h1>")
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_middleware_redirects_to_portfolio_domains_page(self):
|
||||
"""Test that user with VIEW_PORTFOLIO and VIEW_ALL_DOMAINS is redirected to portfolio domains page"""
|
||||
self.app.set_user(self.user.username)
|
||||
self.user.portfolio = self.portfolio
|
||||
self.user.portfolio_additional_permissions = [
|
||||
User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
|
||||
User.UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS,
|
||||
]
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
portfolio_page = self.app.get(reverse("home")).follow()
|
||||
# Assert that we're on the right page
|
||||
self.assertContains(portfolio_page, self.portfolio.organization_name)
|
||||
self.assertNotContains(portfolio_page, "<h1>Organization</h1>")
|
||||
self.assertContains(portfolio_page, '<h1 id="domains-header">Domains</h1>')
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_portfolio_domains_page_403_when_user_not_have_permission(self):
|
||||
"""Test that user without proper permission is denied access to portfolio domain view"""
|
||||
self.app.set_user(self.user.username)
|
||||
self.user.portfolio = self.portfolio
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
response = self.app.get(
|
||||
reverse("portfolio-domains", kwargs={"portfolio_id": self.portfolio.pk}), status=403
|
||||
)
|
||||
# Assert the response is a 403 Forbidden
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_portfolio_domain_requests_page_403_when_user_not_have_permission(self):
|
||||
"""Test that user without proper permission is denied access to portfolio domain view"""
|
||||
self.app.set_user(self.user.username)
|
||||
self.user.portfolio = self.portfolio
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
response = self.app.get(
|
||||
reverse("portfolio-domain-requests", kwargs={"portfolio_id": self.portfolio.pk}), status=403
|
||||
)
|
||||
# Assert the response is a 403 Forbidden
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_portfolio_organization_page_403_when_user_not_have_permission(self):
|
||||
"""Test that user without proper permission is not allowed access to portfolio organization page"""
|
||||
self.app.set_user(self.user.username)
|
||||
self.user.portfolio = self.portfolio
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
response = self.app.get(
|
||||
reverse("portfolio-organization", kwargs={"portfolio_id": self.portfolio.pk}), status=403
|
||||
)
|
||||
# Assert the response is a 403 Forbidden
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
@less_console_noise_decorator
|
||||
def test_navigation_links_hidden_when_user_not_have_permission(self):
|
||||
"""Test that navigation links are hidden when user does not have portfolio permissions"""
|
||||
self.app.set_user(self.user.username)
|
||||
self.user.portfolio = self.portfolio
|
||||
self.user.portfolio_additional_permissions = [
|
||||
User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
|
||||
User.UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS,
|
||||
User.UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS,
|
||||
]
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
with override_flag("organization_feature", active=True):
|
||||
# This will redirect the user to the portfolio page.
|
||||
# Follow implicity checks if our redirect is working.
|
||||
portfolio_page = self.app.get(reverse("home")).follow()
|
||||
# Assert that we're on the right page
|
||||
self.assertContains(portfolio_page, self.portfolio.organization_name)
|
||||
self.assertNotContains(portfolio_page, "<h1>Organization</h1>")
|
||||
self.assertContains(portfolio_page, '<h1 id="domains-header">Domains</h1>')
|
||||
self.assertContains(
|
||||
portfolio_page, reverse("portfolio-domains", kwargs={"portfolio_id": self.portfolio.pk})
|
||||
)
|
||||
self.assertContains(
|
||||
portfolio_page, reverse("portfolio-domain-requests", kwargs={"portfolio_id": self.portfolio.pk})
|
||||
)
|
||||
|
||||
# reducing portfolio permissions to just VIEW_PORTFOLIO, which should remove domains
|
||||
# and domain requests from nav
|
||||
self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO]
|
||||
self.user.save()
|
||||
self.user.refresh_from_db()
|
||||
|
||||
portfolio_page = self.app.get(reverse("home")).follow()
|
||||
|
||||
self.assertContains(portfolio_page, self.portfolio.organization_name)
|
||||
self.assertContains(portfolio_page, "<h1>Organization</h1>")
|
||||
self.assertNotContains(portfolio_page, '<h1 id="domains-header">Domains</h1>')
|
||||
self.assertNotContains(
|
||||
portfolio_page, reverse("portfolio-domains", kwargs={"portfolio_id": self.portfolio.pk})
|
||||
)
|
||||
self.assertNotContains(
|
||||
portfolio_page, reverse("portfolio-domain-requests", kwargs={"portfolio_id": self.portfolio.pk})
|
||||
)
|
||||
|
||||
def tearDown(self):
|
||||
Portfolio.objects.all().delete()
|
||||
UserDomainRole.objects.all().delete()
|
||||
DomainRequest.objects.all().delete()
|
||||
DomainInformation.objects.all().delete()
|
||||
Domain.objects.all().delete()
|
||||
super().tearDown()
|
|
@ -1,20 +1,58 @@
|
|||
from django.shortcuts import render
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.shortcuts import get_object_or_404, render
|
||||
from registrar.models.portfolio import Portfolio
|
||||
from registrar.views.utility.permission_views import (
|
||||
PortfolioDomainRequestsPermissionView,
|
||||
PortfolioDomainsPermissionView,
|
||||
PortfolioBasePermissionView,
|
||||
)
|
||||
from waffle.decorators import flag_is_active
|
||||
from django.views.generic import View
|
||||
|
||||
|
||||
@login_required
|
||||
def portfolio_domains(request, portfolio_id):
|
||||
context = {}
|
||||
class PortfolioDomainsView(PortfolioDomainsPermissionView, View):
|
||||
|
||||
return render(request, "portfolio_domains.html", context)
|
||||
template_name = "portfolio_domains.html"
|
||||
|
||||
def get(self, request, portfolio_id):
|
||||
context = {}
|
||||
|
||||
if self.request.user.is_authenticated:
|
||||
context["has_profile_feature_flag"] = flag_is_active(request, "profile_feature")
|
||||
context["has_organization_feature_flag"] = flag_is_active(request, "organization_feature")
|
||||
portfolio = get_object_or_404(Portfolio, id=portfolio_id)
|
||||
context["portfolio"] = portfolio
|
||||
|
||||
return render(request, "portfolio_domains.html", context)
|
||||
|
||||
|
||||
@login_required
|
||||
def portfolio_domain_requests(request, portfolio_id):
|
||||
context = {}
|
||||
class PortfolioDomainRequestsView(PortfolioDomainRequestsPermissionView, View):
|
||||
|
||||
if request.user.is_authenticated:
|
||||
# This controls the creation of a new domain request in the wizard
|
||||
request.session["new_request"] = True
|
||||
template_name = "portfolio_requests.html"
|
||||
|
||||
return render(request, "portfolio_requests.html", context)
|
||||
def get(self, request, portfolio_id):
|
||||
context = {}
|
||||
|
||||
if self.request.user.is_authenticated:
|
||||
context["has_profile_feature_flag"] = flag_is_active(request, "profile_feature")
|
||||
context["has_organization_feature_flag"] = flag_is_active(request, "organization_feature")
|
||||
portfolio = get_object_or_404(Portfolio, id=portfolio_id)
|
||||
context["portfolio"] = portfolio
|
||||
request.session["new_request"] = True
|
||||
|
||||
return render(request, "portfolio_requests.html", context)
|
||||
|
||||
|
||||
class PortfolioOrganizationView(PortfolioBasePermissionView, View):
|
||||
|
||||
template_name = "portfolio_organization.html"
|
||||
|
||||
def get(self, request, portfolio_id):
|
||||
context = {}
|
||||
|
||||
if self.request.user.is_authenticated:
|
||||
context["has_profile_feature_flag"] = flag_is_active(request, "profile_feature")
|
||||
context["has_organization_feature_flag"] = flag_is_active(request, "organization_feature")
|
||||
portfolio = get_object_or_404(Portfolio, id=portfolio_id)
|
||||
context["portfolio"] = portfolio
|
||||
|
||||
return render(request, "portfolio_organization.html", context)
|
||||
|
|
|
@ -398,3 +398,49 @@ class UserProfilePermission(PermissionsLoginMixin):
|
|||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
class PortfolioBasePermission(PermissionsLoginMixin):
|
||||
"""Permission mixin that redirects to portfolio pages if user
|
||||
has access, otherwise 403"""
|
||||
|
||||
def has_permission(self):
|
||||
"""Check if this user has access to this portfolio.
|
||||
|
||||
The user is in self.request.user and the portfolio can be looked
|
||||
up from the portfolio's primary key in self.kwargs["pk"]
|
||||
"""
|
||||
if not self.request.user.is_authenticated:
|
||||
return False
|
||||
|
||||
return self.request.user.has_base_portfolio_permission()
|
||||
|
||||
|
||||
class PortfolioDomainsPermission(PortfolioBasePermission):
|
||||
"""Permission mixin that allows access to portfolio domain pages if user
|
||||
has access, otherwise 403"""
|
||||
|
||||
def has_permission(self):
|
||||
"""Check if this user has access to domains for this portfolio.
|
||||
|
||||
The user is in self.request.user and the portfolio can be looked
|
||||
up from the portfolio's primary key in self.kwargs["pk"]"""
|
||||
|
||||
if not self.request.user.is_authenticated:
|
||||
return False
|
||||
return self.request.user.has_domains_portfolio_permission()
|
||||
|
||||
|
||||
class PortfolioDomainRequestsPermission(PortfolioBasePermission):
|
||||
"""Permission mixin that allows access to portfolio domain request pages if user
|
||||
has access, otherwise 403"""
|
||||
|
||||
def has_permission(self):
|
||||
"""Check if this user has access to domain requests for this portfolio.
|
||||
|
||||
The user is in self.request.user and the portfolio can be looked
|
||||
up from the portfolio's primary key in self.kwargs["pk"]"""
|
||||
|
||||
if not self.request.user.is_authenticated:
|
||||
return False
|
||||
return self.request.user.has_domain_requests_portfolio_permission()
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
import abc # abstract base class
|
||||
|
||||
from django.views.generic import DetailView, DeleteView, TemplateView
|
||||
from registrar.models import Domain, DomainRequest, DomainInvitation
|
||||
from registrar.models import Domain, DomainRequest, DomainInvitation, Portfolio
|
||||
from registrar.models.user import User
|
||||
from registrar.models.user_domain_role import UserDomainRole
|
||||
|
||||
|
@ -13,8 +13,11 @@ from .mixins import (
|
|||
DomainRequestPermissionWithdraw,
|
||||
DomainInvitationPermission,
|
||||
DomainRequestWizardPermission,
|
||||
PortfolioDomainRequestsPermission,
|
||||
PortfolioDomainsPermission,
|
||||
UserDeleteDomainRolePermission,
|
||||
UserProfilePermission,
|
||||
PortfolioBasePermission,
|
||||
)
|
||||
import logging
|
||||
|
||||
|
@ -163,3 +166,38 @@ class UserProfilePermissionView(UserProfilePermission, DetailView, abc.ABC):
|
|||
@abc.abstractmethod
|
||||
def template_name(self):
|
||||
raise NotImplementedError
|
||||
|
||||
|
||||
class PortfolioBasePermissionView(PortfolioBasePermission, DetailView, abc.ABC):
|
||||
"""Abstract base view for portfolio views that enforces permissions.
|
||||
|
||||
This abstract view cannot be instantiated. Actual views must specify
|
||||
`template_name`.
|
||||
"""
|
||||
|
||||
# DetailView property for what model this is viewing
|
||||
model = Portfolio
|
||||
# variable name in template context for the model object
|
||||
context_object_name = "portfolio"
|
||||
|
||||
# Abstract property enforces NotImplementedError on an attribute.
|
||||
@property
|
||||
@abc.abstractmethod
|
||||
def template_name(self):
|
||||
raise NotImplementedError
|
||||
|
||||
|
||||
class PortfolioDomainsPermissionView(PortfolioDomainsPermission, PortfolioBasePermissionView, abc.ABC):
|
||||
"""Abstract base view for portfolio domains views that enforces permissions.
|
||||
|
||||
This abstract view cannot be instantiated. Actual views must specify
|
||||
`template_name`.
|
||||
"""
|
||||
|
||||
|
||||
class PortfolioDomainRequestsPermissionView(PortfolioDomainRequestsPermission, PortfolioBasePermissionView, abc.ABC):
|
||||
"""Abstract base view for portfolio domain request views that enforces permissions.
|
||||
|
||||
This abstract view cannot be instantiated. Actual views must specify
|
||||
`template_name`.
|
||||
"""
|
||||
|
|
|
@ -70,6 +70,7 @@
|
|||
10038 OUTOFSCOPE http://app:8080/org-name-address
|
||||
10038 OUTOFSCOPE http://app:8080/domain_requests/
|
||||
10038 OUTOFSCOPE http://app:8080/domains/
|
||||
10038 OUTOFSCOPE http://app:8080/organization/
|
||||
# This URL always returns 404, so include it as well.
|
||||
10038 OUTOFSCOPE http://app:8080/todo
|
||||
# OIDC isn't configured in the test environment and DEBUG=True so this gives a 500 without CSP headers
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue