Merge pull request #2857 from cisagov/es/2729-domain-manager-updates

#2729: Update Add a Domain Manager page - [ES]
2025-07-22 02:36:02 +02:00 · 2024-10-17 11:53:50 -07:00 · 2024-10-17 11:53:50 -07:00 · ce7064da2b
commit ce7064da2b
parent 5cd0a34b3b 62b3cbfb04
5 changed files with 104 additions and 35 deletions
--- a/src/registrar/fixtures/fixtures_user_portfolio_permissions.py
+++ b/src/registrar/fixtures/fixtures_user_portfolio_permissions.py
@ -1,4 +1,5 @@
 import logging
+import random
 from faker import Faker
 from django.db import transaction

@ -51,7 +52,8 @@ class UserPortfolioPermissionFixture:

            user_portfolio_permissions_to_create = []
            for user in users:
-                for portfolio in portfolios:
+                # Assign a random portfolio to a user
+                portfolio = random.choice(portfolios)  # nosec
                try:
                    if not UserPortfolioPermission.objects.filter(user=user, portfolio=portfolio).exists():
                        user_portfolio_permission = UserPortfolioPermission(
--- a/src/registrar/templates/domain_add_user.html
+++ b/src/registrar/templates/domain_add_user.html
@ -4,11 +4,31 @@
 {% block title %}Add a domain manager | {% endblock %}

 {% block domain_content %}
+  {% block breadcrumb %}
+    {% url 'domain-users' pk=domain.id as url %}
+    <nav class="usa-breadcrumb padding-top-0" aria-label="Domain manager breadcrumb">
+      <ol class="usa-breadcrumb__list">
+        <li class="usa-breadcrumb__list-item">
+          <a href="{{ url }}" class="usa-breadcrumb__link"><span>Domain managers</span></a>
+        </li>
+        <li class="usa-breadcrumb__list-item usa-current" aria-current="page">
+          <span>Add a domain manager</span>
+        </li>
+      </ol>
+    </nav>
+  {% endblock breadcrumb %}
  <h1>Add a domain manager</h1>
-
-  <p>You can add another user to help manage your domain. They will need to sign
-  in to the .gov registrar with their Login.gov account.
+{% if has_organization_feature_flag %}
+  <p>
+    You can add another user to help manage your domain. Users can only be a member of one .gov organization, 
+    and they'll need to sign in with their Login.gov account.
  </p>
+{% else %}
+ <p>
+    You can add another user to help manage your domain. They will need to sign in to the .gov registrar with 
+    their Login.gov account.
+ </p>
+{% endif %}

  <form class="usa-form usa-form--large" method="post" novalidate>
    {% csrf_token %}
--- a/src/registrar/templates/domain_users.html
+++ b/src/registrar/templates/domain_users.html
@ -8,8 +8,7 @@

  <p>
  Domain managers can update all information related to a domain within the
-  .gov registrar, including contact details, senior official, security
-  email, and DNS name servers.
+  .gov registrar, including including security email and DNS name servers.
  </p>

  <ul class="usa-list">
@ -17,7 +16,8 @@
    <li>After adding a domain manager, an email invitation will be sent to that user with
      instructions on how to set up an account.</li>
    <li>All domain managers must keep their contact information updated and be responsive if contacted by the .gov team.</li>
-    <li>Domains must have at least one domain manager. You can’t remove yourself as a domain manager if you’re the only one assigned to this domain. Add another domain manager before you remove yourself from this domain.</li>
+    <li>All domain managers will be notified when updates are made to this domain.</li>
+    <li>Domains must have at least one domain manager. You can’t remove yourself as a domain manager if you’re the only one assigned to this domain.</li>
  </ul>

  {% if domain.permissions %}
--- a/src/registrar/utility/errors.py
+++ b/src/registrar/utility/errors.py
@ -23,6 +23,15 @@ class InvalidDomainError(ValueError):
    pass


+class OutsideOrgMemberError(ValueError):
+    """
+    Error raised when an org member tries adding a user from a different .gov org.
+    To be deleted when users can be members of multiple orgs.
+    """
+
+    pass
+
+
 class ActionNotAllowed(Exception):
    """User accessed an action that is not
    allowed by the current state"""
--- a/src/registrar/views/domain.py
+++ b/src/registrar/views/domain.py
@ -21,8 +21,10 @@ from registrar.models import (
    DomainRequest,
    DomainInformation,
    DomainInvitation,
+    PortfolioInvitation,
    User,
    UserDomainRole,
+    UserPortfolioPermission,
    PublicContact,
 )
 from registrar.utility.enums import DefaultEmail
@ -35,9 +37,11 @@ from registrar.utility.errors import (
    DsDataErrorCodes,
    SecurityEmailError,
    SecurityEmailErrorCodes,
+    OutsideOrgMemberError,
 )
 from registrar.models.utility.contact_error import ContactError
 from registrar.views.utility.permission_views import UserDomainRolePermissionDeleteView
+from registrar.utility.waffle import flag_is_active_for_user

 from ..forms import (
    SeniorOfficialContactForm,
@ -778,7 +782,18 @@ class DomainAddUserView(DomainFormBaseView):
        """Get an absolute URL for this domain."""
        return self.request.build_absolute_uri(reverse("domain", kwargs={"pk": self.object.id}))

-    def _send_domain_invitation_email(self, email: str, requestor: User, add_success=True):
+    def _is_member_of_different_org(self, email, requestor, requested_user):
+        """Verifies if an email belongs to a different organization as a member or invited member."""
+        # Check if user is a already member of a different organization than the requestor's org
+        requestor_org = UserPortfolioPermission.objects.filter(user=requestor).first().portfolio
+        existing_org_permission = UserPortfolioPermission.objects.filter(user=requested_user).first()
+        existing_org_invitation = PortfolioInvitation.objects.filter(email=email).first()
+
+        return (existing_org_permission and existing_org_permission.portfolio != requestor_org) or (
+            existing_org_invitation and existing_org_invitation.portfolio != requestor_org
+        )
+
+    def _send_domain_invitation_email(self, email: str, requestor: User, requested_user=None, add_success=True):
        """Performs the sending of the domain invitation email,
        does not make a domain information object
        email: string- email to send to
@ -803,6 +818,13 @@ class DomainAddUserView(DomainFormBaseView):
            )
            return None

+        # Check is user is a member or invited member of a different org from this domain's org
+        if flag_is_active_for_user(requestor, "organization_feature") and self._is_member_of_different_org(
+            email, requestor, requested_user
+        ):
+            add_success = False
+            raise OutsideOrgMemberError
+
        # Check to see if an invite has already been sent
        try:
            invite = DomainInvitation.objects.get(email=email, domain=self.object)
@ -859,16 +881,21 @@ class DomainAddUserView(DomainFormBaseView):
        Throws EmailSendingError."""
        requested_email = form.cleaned_data["email"]
        requestor = self.request.user
+        email_success = False
        # look up a user with that email
        try:
            requested_user = User.objects.get(email=requested_email)
        except User.DoesNotExist:
            # no matching user, go make an invitation
+            email_success = True
            return self._make_invitation(requested_email, requestor)
        else:
            # if user already exists then just send an email
            try:
-                self._send_domain_invitation_email(requested_email, requestor, add_success=False)
+                self._send_domain_invitation_email(
+                    requested_email, requestor, requested_user=requested_user, add_success=False
+                )
+                email_success = True
            except EmailSendingError:
                logger.warn(
                    "Could not send email invitation (EmailSendingError)",
@ -876,6 +903,17 @@ class DomainAddUserView(DomainFormBaseView):
                    exc_info=True,
                )
                messages.warning(self.request, "Could not send email invitation.")
+                email_success = True
+            except OutsideOrgMemberError:
+                logger.warn(
+                    "Could not send email. Can not invite member of a .gov organization to a different organization.",
+                    self.object,
+                    exc_info=True,
+                )
+                messages.error(
+                    self.request,
+                    f"{requested_email} is already a member of another .gov organization.",
+                )
            except Exception:
                logger.warn(
                    "Could not send email invitation (Other Exception)",
@ -883,17 +921,17 @@ class DomainAddUserView(DomainFormBaseView):
                    exc_info=True,
                )
                messages.warning(self.request, "Could not send email invitation.")
-
+        if email_success:
            try:
                UserDomainRole.objects.create(
                    user=requested_user,
                    domain=self.object,
                    role=UserDomainRole.Roles.MANAGER,
                )
+                messages.success(self.request, f"Added user {requested_email}.")
            except IntegrityError:
                messages.warning(self.request, f"{requested_email} is already a manager for this domain")
-        else:
-            messages.success(self.request, f"Added user {requested_email}.")
+
        return redirect(self.get_success_url())