Refactor groups and permissions: divide fixtures in 2 files, one for users and one for data, load groups in migrations (using methods defined in user_groups model), use hasperm in admin to test for 'superuser'

2025-08-03 08:22:18 +02:00 · 2023-09-28 17:34:53 -04:00 · 2023-09-28 17:34:53 -04:00 · cd14eb2584
commit cd14eb2584
parent fd860998fb
15 changed files with 667 additions and 559 deletions
--- a/docs/django-admin/roles.md
+++ b/docs/django-admin/roles.md
@ -1,21 +1,21 @@
 # Django admin user roles

-Roles other than superuser should be defined in authentication and authorization groups in django admin 
+For our MVP, we create and maintain 2 admin roles:
+Full access and CISA analyst. Both have the role `staff`.
+Permissions on these roles are set through groups:
+`full_access_group` and `cisa_analysts_group`. These
+groups and the methods to create them are defined in
+our `user_group` model and run in a migration.

-## Superuser
+## Editing group permissions through code

-Full access
+We can edit and deploy new group permissions by
+editing `user_group` then:

-## CISA analyst
+- Duplicating migration `0036_create_groups`
+and running migrations (RECOMMENDED METHOD), or

-### Basic permission level
-
-Staff
-
-### Additional group permissions
-
-auditlog | log entry | can view log entry
-registrar | contact | can view contact
-registrar | domain application | can change domain application
-registrar | domain | can view domain
-registrar | user | can view user
+- Fake the previous migration to run an existing create groups migration:
+ - step 1: docker-compose exec app ./manage.py migrate --fake registrar 0035_contenttypes_permissions
+ - step 2: docker-compose exec app ./manage.py migrate registrar 0036_create_groups
+ - step 3: fake run the latest migration in the migrations list