zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-05-18 18:39:21 +02:00
Code Issues Projects Releases Packages Wiki Activity

permissions

Browse source
This commit is contained in:
zandercymatics 2024-09-18 13:22:44 -06:00
parent 5a8c271647
commit 2e53ba8c51
No known key found for this signature in database
GPG key ID: FF4636ABEC9682B7
6 changed files with 76 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

34
src/registrar/templates/includes/domain_request_status_manage.html
View file

@ -29,7 +29,11 @@
{% endblock breadcrumb %} {% endblock breadcrumb %}
{% block header %} {% block header %}
<h1>Domain request for {{ DomainRequest.requested_domain.name }}</h1> {% if not DomainRequest.requested_domain and DomainRequest.status == DomainRequest.DomainRequestStatus.STARTED %}
<h1>New domain request</h1>
{% else %}
<h1>{{ DomainRequest.requested_domain.name }}</h1>
{% endif %}
{% endblock header %} {% endblock header %}
{% block status_summary %} {% block status_summary %}
@ -50,6 +54,21 @@
</div> </div>
</div> </div>
<br> <br>
{% endblock status_summary %}
{% block status_metadata %}
{% if portfolio %}
{% if DomainRequest.creator %}
<p class="margin-top-1 margin-bottom-1">
<b class="review__step__name">Created by:</b> {{DomainRequest.creator.email|default:DomainRequest.creator.get_formatted_name }}
</p>
{% else %}
<p class="margin-top-1 margin-bottom-1">
<b class="review__step__name">No creator found:</b> this is an error, please email <a href="mailto:help@get.gov" class="usa-link">help@get.gov</a>.
</p>
{% endif %}
{% endif %}
{% with statuses=DomainRequest.DomainRequestStatus last_submitted=DomainRequest.last_submitted_date|date:"F j, Y" first_submitted=DomainRequest.first_submitted_date|date:"F j, Y" last_status_update=DomainRequest.last_status_update|date:"F j, Y" %} {% with statuses=DomainRequest.DomainRequestStatus last_submitted=DomainRequest.last_submitted_date|date:"F j, Y" first_submitted=DomainRequest.first_submitted_date|date:"F j, Y" last_status_update=DomainRequest.last_status_update|date:"F j, Y" %}
{% comment %} {% comment %}
@ -103,13 +122,18 @@
</p> </p>
{% endif %} {% endif %}
{% endwith %} {% endwith %}
{% endblock status_summary %} {% endblock status_metadata %}
{% block status_blurb %}
{% if DomainRequest.status == 'submitted' %}
<p>{% include "includes/domain_request.html" %}</p>
{% endif %}
{% endblock status_blurb %}
{% block modify_request %} {% block modify_request %}
{% if DomainRequest.status != 'rejected' %} {% if DomainRequest.status != 'withdrawn' or DomainRequest.status != 'rejected' %}
<p>{% include "includes/domain_request.html" %}</p>
<p><a href="{% url 'domain-request-withdraw-confirmation' pk=DomainRequest.id %}" class="usa-button usa-button--outline withdraw_outline"> <p><a href="{% url 'domain-request-withdraw-confirmation' pk=DomainRequest.id %}" class="usa-button usa-button--outline withdraw_outline">
Withdraw request</a> Withdraw request</a>
</p> </p>
{% endif %} {% endif %}
{% endblock modify_request %} {% endblock modify_request %}

17
src/registrar/views/domain_request.py
View file

@ -20,6 +20,7 @@ from .utility import (
DomainRequestPermissionView, DomainRequestPermissionView,
DomainRequestPermissionWithdrawView, DomainRequestPermissionWithdrawView,
DomainRequestWizardPermissionView, DomainRequestWizardPermissionView,
DomainRequestPortfolioViewonlyView,
) )
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -765,22 +766,8 @@ class DomainRequestStatus(DomainRequestPermissionView):
return True return True
class DomainRequestStatusViewOnly(DomainRequestPermissionView): class DomainRequestStatusViewOnly(DomainRequestPortfolioViewonlyView):
template_name = "domain_request_status_viewonly.html" template_name = "domain_request_status_viewonly.html"
def has_permission(self):
"""
Override of the base has_permission class to account for portfolio permissions
"""
has_base_perms = super().has_permission()
if not has_base_perms:
return False
if self.request.user.is_org_user(self.request):
portfolio = self.request.session.get("portfolio")
if not self.request.user.has_view_all_requests_portfolio_permission(portfolio):
return False
return True
class DomainRequestWithdrawConfirmation(DomainRequestPermissionWithdrawView): class DomainRequestWithdrawConfirmation(DomainRequestPermissionWithdrawView):

1
src/registrar/views/utility/__init__.py
View file

@ -8,5 +8,6 @@ from .permission_views import (
DomainInvitationPermissionDeleteView, DomainInvitationPermissionDeleteView,
DomainRequestWizardPermissionView, DomainRequestWizardPermissionView,
PortfolioMembersPermission, PortfolioMembersPermission,
DomainRequestPortfolioViewonlyView,
) )
from .api_views import get_senior_official_from_federal_agency_json from .api_views import get_senior_official_from_federal_agency_json

23
src/registrar/views/utility/mixins.py
View file

@ -289,6 +289,29 @@ class DomainRequestPermission(PermissionsLoginMixin):
return True return True
class DomainRequestPortfolioViewonlyPermission(PermissionsLoginMixin):
"""Permission mixin that redirects to domain request if user
has access, otherwise 403"""
def has_permission(self):
"""Check if this user has access to this domain request.
The user is in self.request.user and the domain needs to be looked
up from the domain's primary key in self.kwargs["pk"]
"""
if not self.request.user.is_authenticated:
return False
if not self.request.user.is_org_user(self.request):
return False
portfolio = self.request.session.get("portfolio")
if not self.request.user.has_view_all_requests_portfolio_permission(portfolio):
return False
return True
class UserDeleteDomainRolePermission(PermissionsLoginMixin): class UserDeleteDomainRolePermission(PermissionsLoginMixin):
"""Permission mixin for UserDomainRole if user """Permission mixin for UserDomainRole if user
has access, otherwise 403""" has access, otherwise 403"""

20
src/registrar/views/utility/permission_views.py
View file

@ -19,6 +19,7 @@ from .mixins import (
UserProfilePermission, UserProfilePermission,
PortfolioBasePermission, PortfolioBasePermission,
PortfolioMembersPermission, PortfolioMembersPermission,
DomainRequestPortfolioViewonlyPermission,
) )
import logging import logging
@ -100,6 +101,25 @@ class DomainRequestPermissionView(DomainRequestPermission, DetailView, abc.ABC):
raise NotImplementedError raise NotImplementedError
class DomainRequestPortfolioViewonlyView(DomainRequestPortfolioViewonlyPermission, DetailView, abc.ABC):
"""Abstract base view for domain requests that enforces permissions
This abstract view cannot be instantiated. Actual views must specify
`template_name`.
"""
# DetailView property for what model this is viewing
model = DomainRequest
# variable name in template context for the model object
context_object_name = "DomainRequest"
# Abstract property enforces NotImplementedError on an attribute.
@property
@abc.abstractmethod
def template_name(self):
raise NotImplementedError
class DomainRequestPermissionWithdrawView(DomainRequestPermissionWithdraw, DetailView, abc.ABC): class DomainRequestPermissionWithdrawView(DomainRequestPermissionWithdraw, DetailView, abc.ABC):
"""Abstract base view for domain request withdraw function """Abstract base view for domain request withdraw function