Refactor groups and permissions: divide fixtures in 2 files, one for users and one for data, load groups in migrations (using methods defined in user_groups model), use hasperm in admin to test for 'superuser'

2025-07-23 19:20:47 +02:00 · 2023-09-28 17:34:53 -04:00 · 2023-09-28 17:34:53 -04:00 · cd14eb2584
commit cd14eb2584
parent fd860998fb
15 changed files with 667 additions and 559 deletions
--- a/src/registrar/models/user_group.py
+++ b/src/registrar/models/user_group.py
@ -1,8 +1,117 @@
 from django.contrib.auth.models import Group
+import logging
+
+logger = logging.getLogger(__name__)

 class UserGroup(Group):
-    # Add custom fields or methods specific to your group model here

    class Meta:
        verbose_name = "User group"
-        verbose_name_plural = "User groups"
+        verbose_name_plural = "User groups"
+    
+    def create_cisa_analyst_group(apps, schema_editor):
+        
+        # Hard to pass self to these methods as the calls from migrations
+        # are only expecting apps and schema_editor, so we'll just define
+        # apps, schema_editor in the local scope instead
+        CISA_ANALYST_GROUP_PERMISSIONS = [
+            {
+                "app_label": "auditlog",
+                "model": "logentry",
+                "permissions": ["view_logentry"],
+            },
+            {"app_label": "registrar", "model": "contact", "permissions": ["view_contact"]},
+            {
+                "app_label": "registrar",
+                "model": "domaininformation",
+                "permissions": ["change_domaininformation"],
+            },
+            {
+                "app_label": "registrar",
+                "model": "domainapplication",
+                "permissions": ["change_domainapplication"],
+            },
+            {"app_label": "registrar", "model": "domain", "permissions": ["view_domain"]},
+            {
+                "app_label": "registrar",
+                "model": "draftdomain",
+                "permissions": ["change_draftdomain"],
+            },
+            {"app_label": "registrar", "model": "user", "permissions": ["change_user"]},
+        ]
+        
+        # Avoid error: You can't execute queries until the end 
+        # of the 'atomic' block.
+        # From django docs:
+        # https://docs.djangoproject.com/en/4.2/topics/migrations/#data-migrations
+        # We can’t import the Person model directly as it may be a newer
+        # version than this migration expects. We use the historical version.
+        ContentType = apps.get_model("contenttypes", "ContentType")
+        Permission = apps.get_model("auth", "Permission")
+        UserGroup = apps.get_model("registrar", "UserGroup")
+        
+        logger.info("Going to create the Analyst Group")
+        try:
+            cisa_analysts_group, _ = UserGroup.objects.get_or_create(
+                name="cisa_analysts_group",
+            )
+            
+            cisa_analysts_group.permissions.clear()
+            
+            for permission in CISA_ANALYST_GROUP_PERMISSIONS:
+                app_label = permission["app_label"]
+                model_name = permission["model"]
+                permissions = permission["permissions"]
+
+                # Retrieve the content type for the app and model
+                content_type = ContentType.objects.get(
+                    app_label=app_label, model=model_name
+                )
+                
+                # Retrieve the permissions based on their codenames
+                permissions = Permission.objects.filter(
+                    content_type=content_type, codename__in=permissions
+                )
+                
+                # Assign the permissions to the group
+                cisa_analysts_group.permissions.add(*permissions)
+
+                # Convert the permissions QuerySet to a list of codenames
+                permission_list = list(
+                    permissions.values_list("codename", flat=True)
+                )
+
+                logger.debug(
+                    app_label
+                    + " | "
+                    + model_name
+                    + " | "
+                    + ", ".join(permission_list)
+                    + " added to group "
+                    + cisa_analysts_group.name
+                )
+
+                cisa_analysts_group.save()
+                logger.debug("CISA Analyt permissions added to group " + cisa_analysts_group.name)
+        except Exception as e:
+            logger.error(f"Error creating analyst permissions group: {e}")
+                    
+    def create_full_access_group(apps, schema_editor):
+        Permission = apps.get_model("auth", "Permission")
+        UserGroup = apps.get_model("registrar", "UserGroup")
+        
+        logger.info("Going to create the Full Access Group")
+        try:
+            full_access_group, _ = UserGroup.objects.get_or_create(
+                name="full_access_group",
+            )
+            # Get all available permissions
+            all_permissions = Permission.objects.all()
+                    
+            # Assign all permissions to the group
+            full_access_group.permissions.add(*all_permissions)
+            
+            full_access_group.save()
+            logger.debug("All permissions added to group " + full_access_group.name)
+        except Exception as e:
+            logger.error(f"Error creating full access group: {e}")