From 5d2fec86afed8bb4b11eff1bfac4f618b47e6190 Mon Sep 17 00:00:00 2001
From: zandercymatics <141044360+zandercymatics@users.noreply.github.com>
Date: Fri, 20 Sep 2024 14:32:12 -0600
Subject: [PATCH] Expose portfolios to analysts

---
 src/registrar/admin.py                        | 54 -------------------
 .../migrations/0128_create_groups_v17.py      | 37 +++++++++++++
 src/registrar/models/user_group.py            | 15 ++++++
 3 files changed, 52 insertions(+), 54 deletions(-)
 create mode 100644 src/registrar/migrations/0128_create_groups_v17.py

diff --git a/src/registrar/admin.py b/src/registrar/admin.py
index 1c8551d4e..5da46f110 100644
--- a/src/registrar/admin.py
+++ b/src/registrar/admin.py
@@ -1543,33 +1543,6 @@ class DomainInformationAdmin(ListHeaderAdmin, ImportExportModelAdmin):
 
     change_form_template = "django/admin/domain_information_change_form.html"
 
-    superuser_only_fields = [
-        "portfolio",
-        "sub_organization",
-    ]
-
-    # DEVELOPER's NOTE:
-    # Normally, to exclude a field from an Admin form, we could simply utilize
-    # Django's "exclude" feature.  However, it causes a "missing key" error if we
-    # go that route for this particular form.  The error gets thrown by our
-    # custom fieldset.html code and is due to the fact that "exclude" removes
-    # fields from base_fields but not fieldsets.  Rather than reworking our
-    # custom frontend, it seems more straightforward (and easier to read) to simply
-    # modify the fieldsets list so that it excludes any fields we want to remove
-    # based on permissions (eg. superuser_only_fields) or other conditions.
-    def get_fieldsets(self, request, obj=None):
-        fieldsets = self.fieldsets
-
-        # Create a modified version of fieldsets to exclude certain fields
-        if not request.user.has_perm("registrar.full_access_permission"):
-            modified_fieldsets = []
-            for name, data in fieldsets:
-                fields = data.get("fields", [])
-                fields = tuple(field for field in fields if field not in DomainInformationAdmin.superuser_only_fields)
-                modified_fieldsets.append((name, {**data, "fields": fields}))
-            return modified_fieldsets
-        return fieldsets
-
     def get_readonly_fields(self, request, obj=None):
         """Set the read-only state on form elements.
         We have 1 conditions that determine which fields are read-only:
@@ -1865,33 +1838,6 @@ class DomainRequestAdmin(ListHeaderAdmin, ImportExportModelAdmin):
     ]
     filter_horizontal = ("current_websites", "alternative_domains", "other_contacts")
 
-    superuser_only_fields = [
-        "portfolio",
-        "sub_organization",
-    ]
-
-    # DEVELOPER's NOTE:
-    # Normally, to exclude a field from an Admin form, we could simply utilize
-    # Django's "exclude" feature.  However, it causes a "missing key" error if we
-    # go that route for this particular form.  The error gets thrown by our
-    # custom fieldset.html code and is due to the fact that "exclude" removes
-    # fields from base_fields but not fieldsets.  Rather than reworking our
-    # custom frontend, it seems more straightforward (and easier to read) to simply
-    # modify the fieldsets list so that it excludes any fields we want to remove
-    # based on permissions (eg. superuser_only_fields) or other conditions.
-    def get_fieldsets(self, request, obj=None):
-        fieldsets = super().get_fieldsets(request, obj)
-
-        # Create a modified version of fieldsets to exclude certain fields
-        if not request.user.has_perm("registrar.full_access_permission"):
-            modified_fieldsets = []
-            for name, data in fieldsets:
-                fields = data.get("fields", [])
-                fields = tuple(field for field in fields if field not in self.superuser_only_fields)
-                modified_fieldsets.append((name, {**data, "fields": fields}))
-            return modified_fieldsets
-        return fieldsets
-
     # Table ordering
     # NOTE: This impacts the select2 dropdowns (combobox)
     # Currentl, there's only one for requests on DomainInfo
diff --git a/src/registrar/migrations/0128_create_groups_v17.py b/src/registrar/migrations/0128_create_groups_v17.py
new file mode 100644
index 000000000..7ac392da7
--- /dev/null
+++ b/src/registrar/migrations/0128_create_groups_v17.py
@@ -0,0 +1,37 @@
+# This migration creates the create_full_access_group and create_cisa_analyst_group groups
+# It is dependent on 0079 (which populates federal agencies)
+# If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS
+# in the user_group model then:
+# [NOT RECOMMENDED]
+# step 1: docker-compose exec app ./manage.py migrate --fake registrar 0035_contenttypes_permissions
+# step 2: docker-compose exec app ./manage.py migrate registrar 0036_create_groups
+# step 3: fake run the latest migration in the migrations list
+# [RECOMMENDED]
+# Alternatively:
+# step 1: duplicate the migration that loads data
+# step 2: docker-compose exec app ./manage.py migrate
+
+from django.db import migrations
+from registrar.models import UserGroup
+from typing import Any
+
+
+# For linting: RunPython expects a function reference,
+# so let's give it one
+def create_groups(apps, schema_editor) -> Any:
+    UserGroup.create_cisa_analyst_group(apps, schema_editor)
+    UserGroup.create_full_access_group(apps, schema_editor)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("registrar", "0127_remove_domaininformation_submitter_and_more"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            create_groups,
+            reverse_code=migrations.RunPython.noop,
+            atomic=True,
+        ),
+    ]
diff --git a/src/registrar/models/user_group.py b/src/registrar/models/user_group.py
index 76657fe29..e6bcaa4f4 100644
--- a/src/registrar/models/user_group.py
+++ b/src/registrar/models/user_group.py
@@ -66,6 +66,21 @@ class UserGroup(Group):
                 "model": "federalagency",
                 "permissions": ["add_federalagency", "change_federalagency", "delete_federalagency"],
             },
+            {
+                "app_label": "registrar",
+                "model": "portfolio",
+                "permissions": ["add_portfolio", "change_portfolio", "delete_portfolio"],
+            },
+            {
+                "app_label": "registrar",
+                "model": "suborganization",
+                "permissions": ["add_suborganization", "change_suborganization", "delete_suborganization"],
+            },
+            {
+                "app_label": "registrar",
+                "model": "userportfoliopermission",
+                "permissions": ["add_userportfoliopermission", "change_userportfoliopermission", "delete_userportfoliopermission"],
+            },
         ]
 
         # Avoid error: You can't execute queries until the end