Merge pull request #1149 from cisagov/es/1052-add-analyst-domain-invitation-permission

#1052 Add analyst permissions to add and view domain invitations
2025-05-19 19:09:22 +02:00 · 2023-10-12 11:19:59 -07:00 · 2023-10-12 11:19:59 -07:00 · 1904c7e461
commit 1904c7e461
parent 431dfafd65 02c929ddd3
6 changed files with 58 additions and 3 deletions
--- a/docs/django-admin/roles.md
+++ b/docs/django-admin/roles.md
@ -13,7 +13,8 @@ For more details, refer to the [user group model](../../src/registrar/models/use

 We can edit and deploy new group permissions by:

-1. editing `user_group` then:
+1. Editing `user_group` then:
 2. Duplicating migration `0036_create_groups_01`
 and running migrations (append the name with a version number
-to help django detect the migration eg 0037_create_groups_02)
+to help django detect the migration eg 0037_create_groups_02)
+3. Making sure to update the dependency on the new migration with the previous migration
--- a/src/registrar/admin.py
+++ b/src/registrar/admin.py
@ -342,6 +342,12 @@ class DomainInvitationAdmin(ListHeaderAdmin):
    ]
    search_help_text = "Search by email or domain."

+    # Mark the FSM field 'status' as readonly
+    # to allow admin users to create Domain Invitations
+    # without triggering the FSM Transition Not Allowed
+    # error.
+    readonly_fields = ["status"]
+

 class DomainInformationAdmin(ListHeaderAdmin):
    """Customize domain information admin class."""
--- a/src/registrar/migrations/0037_create_groups_v01.py
+++ b/src/registrar/migrations/0037_create_groups_v01.py
@ -2,11 +2,14 @@
 # It is dependent on 0035 (which populates ContentType and Permissions)
 # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS
 # in the user_group model then:
+# [NOT RECOMMENDED]
 # step 1: docker-compose exec app ./manage.py migrate --fake registrar 0035_contenttypes_permissions
 # step 2: docker-compose exec app ./manage.py migrate registrar 0036_create_groups
 # step 3: fake run the latest migration in the migrations list
+# [RECOMMENDED]
 # Alternatively:
-# Only step: duplicate the migtation that loads data and run: docker-compose exec app ./manage.py migrate
+# step 1: duplicate the migration that loads data
+# step 2: docker-compose exec app ./manage.py migrate

 from django.db import migrations
 from registrar.models import UserGroup
--- a/src/registrar/migrations/0038_create_groups_v02.py
+++ b/src/registrar/migrations/0038_create_groups_v02.py
@ -0,0 +1,37 @@
+# This migration creates the create_full_access_group and create_cisa_analyst_group groups
+# It is dependent on 0035 (which populates ContentType and Permissions)
+# If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS
+# in the user_group model then:
+# [NOT RECOMMENDED]
+# step 1: docker-compose exec app ./manage.py migrate --fake registrar 0035_contenttypes_permissions
+# step 2: docker-compose exec app ./manage.py migrate registrar 0036_create_groups
+# step 3: fake run the latest migration in the migrations list
+# [RECOMMENDED]
+# Alternatively:
+# step 1: duplicate the migration that loads data
+# step 2: docker-compose exec app ./manage.py migrate
+
+from django.db import migrations
+from registrar.models import UserGroup
+from typing import Any
+
+
+# For linting: RunPython expects a function reference,
+# so let's give it one
+def create_groups(apps, schema_editor) -> Any:
+    UserGroup.create_cisa_analyst_group(apps, schema_editor)
+    UserGroup.create_full_access_group(apps, schema_editor)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("registrar", "0037_create_groups_v01"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            create_groups,
+            reverse_code=migrations.RunPython.noop,
+            atomic=True,
+        ),
+    ]
--- a/src/registrar/models/user_group.py
+++ b/src/registrar/models/user_group.py
@ -51,6 +51,11 @@ class UserGroup(Group):
                "model": "user",
                "permissions": ["analyst_access_permission", "change_user"],
            },
+            {
+                "app_label": "registrar",
+                "model": "domaininvitation",
+                "permissions": ["add_domaininvitation", "view_domaininvitation"],
+            },
        ]

        # Avoid error: You can't execute queries until the end
--- a/src/registrar/tests/test_migrations.py
+++ b/src/registrar/tests/test_migrations.py
@ -32,6 +32,7 @@ class TestGroups(TestCase):
        )

        # Test permissions for cisa_analysts_group
+        # Verifies permission data migrations ran as expected.
        # Define the expected permission codenames
        expected_permissions = [
            "view_logentry",
@ -39,6 +40,8 @@ class TestGroups(TestCase):
            "view_domain",
            "change_domainapplication",
            "change_domaininformation",
+            "add_domaininvitation",
+            "view_domaininvitation",
            "change_draftdomain",
            "analyst_access_permission",
            "change_user",