Refactor groups and permissions: divide fixtures in 2 files, one for users and one for data, load groups in migrations (using methods defined in user_groups model), use hasperm in admin to test for 'superuser'

This commit is contained in:
Rachid Mrad 2023-09-28 17:34:53 -04:00
parent fd860998fb
commit cd14eb2584
No known key found for this signature in database
GPG key ID: EF38E4CEC4A8F3CF
15 changed files with 667 additions and 559 deletions

View file

@ -1,21 +1,21 @@
# Django admin user roles
Roles other than superuser should be defined in authentication and authorization groups in django admin
For our MVP, we create and maintain 2 admin roles:
Full access and CISA analyst. Both have the role `staff`.
Permissions on these roles are set through groups:
`full_access_group` and `cisa_analysts_group`. These
groups and the methods to create them are defined in
our `user_group` model and run in a migration.
## Superuser
## Editing group permissions through code
Full access
We can edit and deploy new group permissions by
editing `user_group` then:
## CISA analyst
- Duplicating migration `0036_create_groups`
and running migrations (RECOMMENDED METHOD), or
### Basic permission level
Staff
### Additional group permissions
auditlog | log entry | can view log entry
registrar | contact | can view contact
registrar | domain application | can change domain application
registrar | domain | can view domain
registrar | user | can view user
- Fake the previous migration to run an existing create groups migration:
- step 1: docker-compose exec app ./manage.py migrate --fake registrar 0035_contenttypes_permissions
- step 2: docker-compose exec app ./manage.py migrate registrar 0036_create_groups
- step 3: fake run the latest migration in the migrations list