Add corrected delete logic

2025-05-19 19:09:22 +02:00 · 2024-09-13 13:48:47 -06:00 · 2024-09-13 13:48:47 -06:00 · 4b8f77436d
commit 4b8f77436d
parent c1daa455ae
2 changed files with 19 additions and 5 deletions
--- a/src/registrar/views/domain_request.py
+++ b/src/registrar/views/domain_request.py
@ -796,6 +796,12 @@ class DomainRequestDeleteView(DomainRequestPermissionDeleteView):
        if status not in valid_statuses:
            return False

+        # Portfolio users cannot delete their requests if they aren't permissioned to do so 
+        if self.request.user.is_org_user(self.request):
+            portfolio = self.request.session.get("portfolio")
+            if not self.request.user.has_edit_request_portfolio_permission(portfolio):
+                return False
+
        return True

    def get_success_url(self):
--- a/src/registrar/views/domain_requests_json.py
+++ b/src/registrar/views/domain_requests_json.py
@ -25,9 +25,8 @@ def get_domain_requests_json(request):
    paginator = Paginator(objects, 10)
    page_number = request.GET.get("page", 1)
    page_obj = paginator.get_page(page_number)
-
    domain_requests = [
-        serialize_domain_request(domain_request, request.user) for domain_request in page_obj.object_list
+        serialize_domain_request(request, domain_request, request.user) for domain_request in page_obj.object_list
    ]

    return JsonResponse(
@ -90,13 +89,22 @@ def apply_sorting(queryset, request):
    return queryset.order_by(sort_by)


-def serialize_domain_request(domain_request, user):
-    # Determine if the request is deletable
-    is_deletable = domain_request.status in [
+def serialize_domain_request(request, domain_request, user):
+
+    deletable_statuses = [
        DomainRequest.DomainRequestStatus.STARTED,
        DomainRequest.DomainRequestStatus.WITHDRAWN,
    ]

+    # Determine if the request is deletable
+    if not user.is_org_user(request):
+        is_deletable = domain_request.status in deletable_statuses
+    else:
+        portfolio = request.session.get("portfolio")
+        is_deletable = (
+            domain_request.status in deletable_statuses and user.has_edit_request_portfolio_permission(portfolio)
+        ) and domain_request.creator == user
+
    # Determine action label based on user permissions and request status
    editable_statuses = [
        DomainRequest.DomainRequestStatus.STARTED,