From d0d312598da04b347ef45af6d240b7d304078be6 Mon Sep 17 00:00:00 2001 From: Erin <121973038+erinysong@users.noreply.github.com> Date: Wed, 3 Apr 2024 14:49:38 -0700 Subject: [PATCH 1/8] Edit typo on create_groups migration --- src/registrar/migrations/0037_create_groups_v01.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/registrar/migrations/0037_create_groups_v01.py b/src/registrar/migrations/0037_create_groups_v01.py index 3540ea2f3..0c04a8b61 100644 --- a/src/registrar/migrations/0037_create_groups_v01.py +++ b/src/registrar/migrations/0037_create_groups_v01.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0035 (which populates ContentType and Permissions) +# It is dependent on 0036 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] From c25a082aa091caa325cbec2ba326daaa8e59ca77 Mon Sep 17 00:00:00 2001 From: Erin <121973038+erinysong@users.noreply.github.com> Date: Wed, 3 Apr 2024 15:18:50 -0700 Subject: [PATCH 2/8] Add instructions for user group migrations --- src/registrar/models/user_group.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/registrar/models/user_group.py b/src/registrar/models/user_group.py index 2aa2f642e..6211094ec 100644 --- a/src/registrar/models/user_group.py +++ b/src/registrar/models/user_group.py @@ -5,6 +5,16 @@ logger = logging.getLogger(__name__) class UserGroup(Group): + """ + UserGroup sets read and write permissions for superusers (who have full access) + and analysts. To update analyst permissions do the following: + 1. Make desired changes to analyst group permissions in user_group.py. + 2. Follow the steps in 0037_create_groups_v01.py to create a duplicate + migration for the updated user group permissions. + 3. To migrate locally, run docker-compose up. To migrate on a sandbox, + push the new migration onto your sandbox before migrating. + """ + class Meta: verbose_name = "User group" verbose_name_plural = "User groups" @@ -49,7 +59,7 @@ class UserGroup(Group): { "app_label": "registrar", "model": "user", - "permissions": ["analyst_access_permission", "change_user"], + "permissions": ["analyst_access_permission", "change_user", "delete_user"], }, { "app_label": "registrar", From c4cf7d5669e156fb755d2034c8e42c3af49f727b Mon Sep 17 00:00:00 2001 From: Erin <121973038+erinysong@users.noreply.github.com> Date: Wed, 3 Apr 2024 15:27:49 -0700 Subject: [PATCH 3/8] Update dependency typos in user group migrations --- src/registrar/migrations/0038_create_groups_v02.py | 2 +- src/registrar/migrations/0042_create_groups_v03.py | 2 +- src/registrar/migrations/0044_create_groups_v04.py | 2 +- src/registrar/migrations/0053_create_groups_v05.py | 2 +- src/registrar/migrations/0065_create_groups_v06.py | 2 +- src/registrar/migrations/0067_create_groups_v07.py | 2 +- src/registrar/migrations/0075_create_groups_v08.py | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/registrar/migrations/0038_create_groups_v02.py b/src/registrar/migrations/0038_create_groups_v02.py index fc61db3c0..70d13b61a 100644 --- a/src/registrar/migrations/0038_create_groups_v02.py +++ b/src/registrar/migrations/0038_create_groups_v02.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0035 (which populates ContentType and Permissions) +# It is dependent on 0037 (which also updates user role permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0042_create_groups_v03.py b/src/registrar/migrations/0042_create_groups_v03.py index 01b7985bf..e30841599 100644 --- a/src/registrar/migrations/0042_create_groups_v03.py +++ b/src/registrar/migrations/0042_create_groups_v03.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0035 (which populates ContentType and Permissions) +# It is dependent on 0041 (which changes fields in domain request and domain information) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0044_create_groups_v04.py b/src/registrar/migrations/0044_create_groups_v04.py index ecb48e335..63cad49bb 100644 --- a/src/registrar/migrations/0044_create_groups_v04.py +++ b/src/registrar/migrations/0044_create_groups_v04.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0035 (which populates ContentType and Permissions) +# It is dependent on 0043 (which adds an expiry date field to a domain.) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0053_create_groups_v05.py b/src/registrar/migrations/0053_create_groups_v05.py index aaf74a9db..91e8389df 100644 --- a/src/registrar/migrations/0053_create_groups_v05.py +++ b/src/registrar/migrations/0053_create_groups_v05.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0035 (which populates ContentType and Permissions) +# It is dependent on 0052 (which alters fields in a domain request) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0065_create_groups_v06.py b/src/registrar/migrations/0065_create_groups_v06.py index d2cb32cee..965dc06a8 100644 --- a/src/registrar/migrations/0065_create_groups_v06.py +++ b/src/registrar/migrations/0065_create_groups_v06.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0035 (which populates ContentType and Permissions) +# It is dependent on 0065 (which renames fields in domain application) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0067_create_groups_v07.py b/src/registrar/migrations/0067_create_groups_v07.py index 85138d4af..809738ba3 100644 --- a/src/registrar/migrations/0067_create_groups_v07.py +++ b/src/registrar/migrations/0067_create_groups_v07.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0035 (which populates ContentType and Permissions) +# It is dependent on 0066 (which updates users with permission as Verified by Staff) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0075_create_groups_v08.py b/src/registrar/migrations/0075_create_groups_v08.py index b0b2ed740..a4df52d21 100644 --- a/src/registrar/migrations/0075_create_groups_v08.py +++ b/src/registrar/migrations/0075_create_groups_v08.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0035 (which populates ContentType and Permissions) +# It is dependent on 0074 (which renames Domain Application and its fields) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] From 8e5c1aadbf841559ea6ae17f11399139a07fea72 Mon Sep 17 00:00:00 2001 From: Erin <121973038+erinysong@users.noreply.github.com> Date: Wed, 3 Apr 2024 15:29:16 -0700 Subject: [PATCH 4/8] Revert user group permission changes from testing --- src/registrar/models/user_group.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/registrar/models/user_group.py b/src/registrar/models/user_group.py index 6211094ec..3071fba11 100644 --- a/src/registrar/models/user_group.py +++ b/src/registrar/models/user_group.py @@ -59,7 +59,7 @@ class UserGroup(Group): { "app_label": "registrar", "model": "user", - "permissions": ["analyst_access_permission", "change_user", "delete_user"], + "permissions": ["analyst_access_permission", "change_user"], }, { "app_label": "registrar", From df9d0c7ac36f33706285d3f3d29daae9270e15d6 Mon Sep 17 00:00:00 2001 From: Erin <121973038+erinysong@users.noreply.github.com> Date: Mon, 8 Apr 2024 10:14:51 -0700 Subject: [PATCH 5/8] Add user permission migration docs ot user-permissions.md --- docs/developer/user-permissions.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/developer/user-permissions.md b/docs/developer/user-permissions.md index f7c41492d..4e627b0a5 100644 --- a/docs/developer/user-permissions.md +++ b/docs/developer/user-permissions.md @@ -19,6 +19,18 @@ role or set of permissions that they have. We use a `UserDomainRole` `User.domains` many-to-many relationship that works through the `UserDomainRole` link table. +## Migrating changes to Analyst Permissions model +Analysts are allowed a certain set of read/write registrar permissions. +Setting user permissions requires a migration to change the UserGroup +and Permission models, which requires us to manually make a migration +file for user permission changes. +To update analyst permissions do the following: +1. Make desired changes to analyst group permissions in user_group.py. +2. Follow the steps in 0037_create_groups_v01.py to create a duplicate +migration for the updated user group permissions. +3. To migrate locally, run docker-compose up. To migrate on a sandbox, +push the new migration onto your sandbox before migrating. + ## Permission decorator The Django objects that need to be permission controlled are various views. From 51d14457929d67b426509bb07996aa9219b958ba Mon Sep 17 00:00:00 2001 From: Erin <121973038+erinysong@users.noreply.github.com> Date: Mon, 8 Apr 2024 10:15:49 -0700 Subject: [PATCH 6/8] Revert documentation changes to migration files --- src/registrar/migrations/0037_create_groups_v01.py | 2 +- src/registrar/migrations/0038_create_groups_v02.py | 2 +- src/registrar/migrations/0042_create_groups_v03.py | 2 +- src/registrar/migrations/0044_create_groups_v04.py | 2 +- src/registrar/migrations/0053_create_groups_v05.py | 2 +- src/registrar/migrations/0065_create_groups_v06.py | 2 +- src/registrar/migrations/0067_create_groups_v07.py | 2 +- src/registrar/migrations/0075_create_groups_v08.py | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/registrar/migrations/0037_create_groups_v01.py b/src/registrar/migrations/0037_create_groups_v01.py index 0c04a8b61..3540ea2f3 100644 --- a/src/registrar/migrations/0037_create_groups_v01.py +++ b/src/registrar/migrations/0037_create_groups_v01.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0036 (which populates ContentType and Permissions) +# It is dependent on 0035 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0038_create_groups_v02.py b/src/registrar/migrations/0038_create_groups_v02.py index 70d13b61a..fc61db3c0 100644 --- a/src/registrar/migrations/0038_create_groups_v02.py +++ b/src/registrar/migrations/0038_create_groups_v02.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0037 (which also updates user role permissions) +# It is dependent on 0035 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0042_create_groups_v03.py b/src/registrar/migrations/0042_create_groups_v03.py index e30841599..01b7985bf 100644 --- a/src/registrar/migrations/0042_create_groups_v03.py +++ b/src/registrar/migrations/0042_create_groups_v03.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0041 (which changes fields in domain request and domain information) +# It is dependent on 0035 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0044_create_groups_v04.py b/src/registrar/migrations/0044_create_groups_v04.py index 63cad49bb..ecb48e335 100644 --- a/src/registrar/migrations/0044_create_groups_v04.py +++ b/src/registrar/migrations/0044_create_groups_v04.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0043 (which adds an expiry date field to a domain.) +# It is dependent on 0035 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0053_create_groups_v05.py b/src/registrar/migrations/0053_create_groups_v05.py index 91e8389df..aaf74a9db 100644 --- a/src/registrar/migrations/0053_create_groups_v05.py +++ b/src/registrar/migrations/0053_create_groups_v05.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0052 (which alters fields in a domain request) +# It is dependent on 0035 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0065_create_groups_v06.py b/src/registrar/migrations/0065_create_groups_v06.py index 965dc06a8..d2cb32cee 100644 --- a/src/registrar/migrations/0065_create_groups_v06.py +++ b/src/registrar/migrations/0065_create_groups_v06.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0065 (which renames fields in domain application) +# It is dependent on 0035 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0067_create_groups_v07.py b/src/registrar/migrations/0067_create_groups_v07.py index 809738ba3..85138d4af 100644 --- a/src/registrar/migrations/0067_create_groups_v07.py +++ b/src/registrar/migrations/0067_create_groups_v07.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0066 (which updates users with permission as Verified by Staff) +# It is dependent on 0035 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] diff --git a/src/registrar/migrations/0075_create_groups_v08.py b/src/registrar/migrations/0075_create_groups_v08.py index a4df52d21..b0b2ed740 100644 --- a/src/registrar/migrations/0075_create_groups_v08.py +++ b/src/registrar/migrations/0075_create_groups_v08.py @@ -1,5 +1,5 @@ # This migration creates the create_full_access_group and create_cisa_analyst_group groups -# It is dependent on 0074 (which renames Domain Application and its fields) +# It is dependent on 0035 (which populates ContentType and Permissions) # If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS # in the user_group model then: # [NOT RECOMMENDED] From 12f536a9107e40a0021169a8b6116b7120dd6bfe Mon Sep 17 00:00:00 2001 From: Erin <121973038+erinysong@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:24:45 -0700 Subject: [PATCH 7/8] Clean up redundant docs in user_group --- src/registrar/models/user_group.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/registrar/models/user_group.py b/src/registrar/models/user_group.py index 3071fba11..8565ea288 100644 --- a/src/registrar/models/user_group.py +++ b/src/registrar/models/user_group.py @@ -7,12 +7,7 @@ logger = logging.getLogger(__name__) class UserGroup(Group): """ UserGroup sets read and write permissions for superusers (who have full access) - and analysts. To update analyst permissions do the following: - 1. Make desired changes to analyst group permissions in user_group.py. - 2. Follow the steps in 0037_create_groups_v01.py to create a duplicate - migration for the updated user group permissions. - 3. To migrate locally, run docker-compose up. To migrate on a sandbox, - push the new migration onto your sandbox before migrating. + and analysts. For more details, see the dev docs for user-permissions. """ class Meta: From 94e62e7520776199bd22cb3dc3c89a35df862124 Mon Sep 17 00:00:00 2001 From: Erin <121973038+erinysong@users.noreply.github.com> Date: Mon, 8 Apr 2024 14:48:04 -0700 Subject: [PATCH 8/8] Add suggested content detail to user permissions docs --- docs/developer/user-permissions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/developer/user-permissions.md b/docs/developer/user-permissions.md index 4e627b0a5..4919c02ff 100644 --- a/docs/developer/user-permissions.md +++ b/docs/developer/user-permissions.md @@ -26,8 +26,8 @@ and Permission models, which requires us to manually make a migration file for user permission changes. To update analyst permissions do the following: 1. Make desired changes to analyst group permissions in user_group.py. -2. Follow the steps in 0037_create_groups_v01.py to create a duplicate -migration for the updated user group permissions. +2. Follow the steps in the migration file0037_create_groups_v01.py to +create a duplicate migration for the updated user group permissions. 3. To migrate locally, run docker-compose up. To migrate on a sandbox, push the new migration onto your sandbox before migrating.