Update Staff permissions for contacts, websites, addresses and domain information and application

src/registrar/admin.py

@@ -294,6 +294,26 @@ class ContactAdmin(ListHeaderAdmin):
 
     contact.admin_order_field = "first_name"  # type: ignore
 
+    # Read only that we'll leverage for CISA Analysts
+    analyst_readonly_fields = [
+        "user",
+    ]
+
+    def get_readonly_fields(self, request, obj=None):
+        """Set the read-only state on form elements.
+        We have 1 conditions that determine which fields are read-only:
+        admin user permissions.
+        """
+
+        readonly_fields = list(self.readonly_fields)
+
+        if request.user.has_perm("registrar.full_access_permission"):
+            return readonly_fields
+        # Return restrictive Read-only fields for analysts and
+        # users who might not belong to groups
+        readonly_fields.extend([field for field in self.analyst_readonly_fields])
+        return readonly_fields  # Read-only fields for analysts
+
 
 class WebsiteAdmin(ListHeaderAdmin):
     """Custom website admin class."""
@@ -420,9 +440,6 @@ class DomainInformationAdmin(ListHeaderAdmin):
         "creator",
         "type_of_work",
         "more_organization_information",
-        "address_line1",
-        "address_line2",
-        "zipcode",
         "domain",
         "submitter",
         "no_other_contacts_rationale",
@@ -557,9 +574,6 @@ class DomainApplicationAdmin(ListHeaderAdmin):
     analyst_readonly_fields = [
         "creator",
         "about_your_organization",
-        "address_line1",
-        "address_line2",
-        "zipcode",
         "requested_domain",
         "alternative_domains",
         "purpose",

src/registrar/migrations/0040_create_groups_v03.py

@@ -0,0 +1,37 @@
+# This migration creates the create_full_access_group and create_cisa_analyst_group groups
+# It is dependent on 0035 (which populates ContentType and Permissions)
+# If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS
+# in the user_group model then:
+# [NOT RECOMMENDED]
+# step 1: docker-compose exec app ./manage.py migrate --fake registrar 0035_contenttypes_permissions
+# step 2: docker-compose exec app ./manage.py migrate registrar 0036_create_groups
+# step 3: fake run the latest migration in the migrations list
+# [RECOMMENDED]
+# Alternatively:
+# step 1: duplicate the migration that loads data
+# step 2: docker-compose exec app ./manage.py migrate
+
+from django.db import migrations
+from registrar.models import UserGroup
+from typing import Any
+
+
+# For linting: RunPython expects a function reference,
+# so let's give it one
+def create_groups(apps, schema_editor) -> Any:
+    UserGroup.create_cisa_analyst_group(apps, schema_editor)
+    UserGroup.create_full_access_group(apps, schema_editor)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("registrar", "0039_alter_transitiondomain_status"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            create_groups,
+            reverse_code=migrations.RunPython.noop,
+            atomic=True,
+        ),
+    ]

src/registrar/models/user_group.py

@@ -24,7 +24,7 @@ class UserGroup(Group):
             {
                 "app_label": "registrar",
                 "model": "contact",
-                "permissions": ["view_contact"],
+                "permissions": ["change_contact"],
             },
             {
                 "app_label": "registrar",
@@ -56,6 +56,11 @@ class UserGroup(Group):
                 "model": "domaininvitation",
                 "permissions": ["add_domaininvitation", "view_domaininvitation"],
             },
+            {
+                "app_label": "registrar",
+                "model": "website",
+                "permissions": ["change_website"],
+            },
         ]
 
         # Avoid error: You can't execute queries until the end