Merge branch 'main' into za/2597-block-email-sending

src/registrar/models/__init__.py

@@ -21,6 +21,7 @@ from .portfolio import Portfolio
 from .domain_group import DomainGroup
 from .suborganization import Suborganization
 from .senior_official import SeniorOfficial
+from .user_portfolio_permission import UserPortfolioPermission
 from .allowed_email import AllowedEmail
 
 
@@ -47,6 +48,7 @@ __all__ = [
     "DomainGroup",
     "Suborganization",
     "SeniorOfficial",
+    "UserPortfolioPermission",
     "AllowedEmail",
 ]
 
@@ -72,4 +74,5 @@ auditlog.register(Portfolio)
 auditlog.register(DomainGroup)
 auditlog.register(Suborganization)
 auditlog.register(SeniorOfficial)
+auditlog.register(UserPortfolioPermission)
 auditlog.register(AllowedEmail)

src/registrar/models/domain_request.py

@@ -563,15 +563,32 @@ class DomainRequest(TimeStampedModel):
         help_text="Acknowledged .gov acceptable use policy",
     )
 
-    # submission date records when domain request is submitted
-    submission_date = models.DateField(
+    # Records when the domain request was first submitted
+    first_submitted_date = models.DateField(
         null=True,
         blank=True,
         default=None,
-        verbose_name="submitted at",
-        help_text="Date submitted",
+        verbose_name="first submitted on",
+        help_text="Date initially submitted",
     )
 
+    # Records when domain request was last submitted
+    last_submitted_date = models.DateField(
+        null=True,
+        blank=True,
+        default=None,
+        verbose_name="last submitted on",
+        help_text="Date last submitted",
+    )
+
+    # Records when domain request status was last updated by an admin or analyst
+    last_status_update = models.DateField(
+        null=True,
+        blank=True,
+        default=None,
+        verbose_name="last updated on",
+        help_text="Date of the last status update",
+    )
     notes = models.TextField(
         null=True,
         blank=True,
@@ -627,6 +644,9 @@ class DomainRequest(TimeStampedModel):
         self.sync_organization_type()
         self.sync_yes_no_form_fields()
 
+        if self._cached_status != self.status:
+            self.last_status_update = timezone.now().date()
+
         super().save(*args, **kwargs)
 
         # Handle the action needed email.
@@ -809,8 +829,12 @@ class DomainRequest(TimeStampedModel):
         if not DraftDomain.string_could_be_domain(self.requested_domain.name):
             raise ValueError("Requested domain is not a valid domain name.")
 
-        # Update submission_date to today
-        self.submission_date = timezone.now().date()
+        # if the domain has not been submitted before this  must be the first time
+        if not self.first_submitted_date:
+            self.first_submitted_date = timezone.now().date()
+
+        # Update last_submitted_date to today
+        self.last_submitted_date = timezone.now().date()
         self.save()
 
         # Limit email notifications to transitions from Started and Withdrawn

src/registrar/models/portfolio.py

@@ -131,9 +131,13 @@ class Portfolio(TimeStampedModel):
         Returns a combination of organization_type / federal_type, seperated by ' - '.
         If no federal_type is found, we just return the org type.
         """
-        org_type_label = self.OrganizationChoices.get_org_label(self.organization_type)
-        agency_type_label = BranchChoices.get_branch_label(self.federal_type)
-        if self.organization_type == self.OrganizationChoices.FEDERAL and agency_type_label:
+        return self.get_portfolio_type(self.organization_type, self.federal_type)
+
+    @classmethod
+    def get_portfolio_type(cls, organization_type, federal_type):
+        org_type_label = cls.OrganizationChoices.get_org_label(organization_type)
+        agency_type_label = BranchChoices.get_branch_label(federal_type)
+        if organization_type == cls.OrganizationChoices.FEDERAL and agency_type_label:
             return " - ".join([org_type_label, agency_type_label])
         else:
             return org_type_label
@@ -141,7 +145,11 @@ class Portfolio(TimeStampedModel):
     @property
     def federal_type(self):
         """Returns the federal_type value on the underlying federal_agency field"""
-        return self.federal_agency.federal_type if self.federal_agency else None
+        return self.get_federal_type(self.federal_agency)
+
+    @classmethod
+    def get_federal_type(cls, federal_agency):
+        return federal_agency.federal_type if federal_agency else None
 
     # == Getters for domains == #
     def get_domains(self):

src/registrar/models/portfolio_invitation.py

@@ -1,13 +1,11 @@
 """People are invited by email to administer domains."""
 
 import logging
-
 from django.contrib.auth import get_user_model
 from django.db import models
-
 from django_fsm import FSMField, transition
+from registrar.models.user_portfolio_permission import UserPortfolioPermission
 from .utility.portfolio_helper import UserPortfolioPermissionChoices, UserPortfolioRoleChoices  # type: ignore
-
 from .utility.time_stamped_model import TimeStampedModel
 from django.contrib.postgres.fields import ArrayField
 
@@ -87,9 +85,11 @@ class PortfolioInvitation(TimeStampedModel):
             raise RuntimeError("Cannot find the user to retrieve this portfolio invitation.")
 
         # and create a role for that user on this portfolio
-        user.portfolio = self.portfolio
+        user_portfolio_permission, _ = UserPortfolioPermission.objects.get_or_create(
+            portfolio=self.portfolio, user=user
+        )
         if self.portfolio_roles and len(self.portfolio_roles) > 0:
-            user.portfolio_roles = self.portfolio_roles
+            user_portfolio_permission.roles = self.portfolio_roles
         if self.portfolio_additional_permissions and len(self.portfolio_additional_permissions) > 0:
-            user.portfolio_additional_permissions = self.portfolio_additional_permissions
-        user.save()
+            user_portfolio_permission.additional_permissions = self.portfolio_additional_permissions
+        user_portfolio_permission.save()

src/registrar/models/user.py

@@ -3,10 +3,9 @@ import logging
 from django.contrib.auth.models import AbstractUser
 from django.db import models
 from django.db.models import Q
-from django.forms import ValidationError
+from django.http import HttpRequest
 
-from registrar.models.domain_information import DomainInformation
-from registrar.models.user_domain_role import UserDomainRole
+from registrar.models import DomainInformation, UserDomainRole
 from registrar.models.utility.portfolio_helper import UserPortfolioPermissionChoices, UserPortfolioRoleChoices
 
 from .domain_invitation import DomainInvitation
@@ -15,7 +14,6 @@ from .transition_domain import TransitionDomain
 from .verified_by_staff import VerifiedByStaff
 from .domain import Domain
 from .domain_request import DomainRequest
-from django.contrib.postgres.fields import ArrayField
 from waffle.decorators import flag_is_active
 
 from phonenumber_field.modelfields import PhoneNumberField  # type: ignore
@@ -112,34 +110,6 @@ class User(AbstractUser):
         related_name="users",
     )
 
-    portfolio = models.ForeignKey(
-        "registrar.Portfolio",
-        null=True,
-        blank=True,
-        related_name="user",
-        on_delete=models.SET_NULL,
-    )
-
-    portfolio_roles = ArrayField(
-        models.CharField(
-            max_length=50,
-            choices=UserPortfolioRoleChoices.choices,
-        ),
-        null=True,
-        blank=True,
-        help_text="Select one or more roles.",
-    )
-
-    portfolio_additional_permissions = ArrayField(
-        models.CharField(
-            max_length=50,
-            choices=UserPortfolioPermissionChoices.choices,
-        ),
-        null=True,
-        blank=True,
-        help_text="Select one or more additional permissions.",
-    )
-
     phone = PhoneNumberField(
         null=True,
         blank=True,
@@ -230,68 +200,50 @@ class User(AbstractUser):
     def has_contact_info(self):
         return bool(self.title or self.email or self.phone)
 
-    def clean(self):
-        """Extends clean method to perform additional validation, which can raise errors in django admin."""
-        super().clean()
-
-        if self.portfolio is None and self._get_portfolio_permissions():
-            raise ValidationError("When portfolio roles or additional permissions are assigned, portfolio is required.")
-
-        if self.portfolio is not None and not self._get_portfolio_permissions():
-            raise ValidationError("When portfolio is assigned, portfolio roles or additional permissions are required.")
-
-    def _get_portfolio_permissions(self):
-        """
-        Retrieve the permissions for the user's portfolio roles.
-        """
-        portfolio_permissions = set()  # Use a set to avoid duplicate permissions
-
-        if self.portfolio_roles:
-            for role in self.portfolio_roles:
-                if role in self.PORTFOLIO_ROLE_PERMISSIONS:
-                    portfolio_permissions.update(self.PORTFOLIO_ROLE_PERMISSIONS[role])
-        if self.portfolio_additional_permissions:
-            portfolio_permissions.update(self.portfolio_additional_permissions)
-        return list(portfolio_permissions)  # Convert back to list if necessary
-
-    def _has_portfolio_permission(self, portfolio_permission):
+    def _has_portfolio_permission(self, portfolio, portfolio_permission):
         """The views should only call this function when testing for perms and not rely on roles."""
 
-        if not self.portfolio:
+        if not portfolio:
             return False
 
-        portfolio_permissions = self._get_portfolio_permissions()
+        user_portfolio_perms = self.portfolio_permissions.filter(portfolio=portfolio, user=self).first()
+        if not user_portfolio_perms:
+            return False
 
-        return portfolio_permission in portfolio_permissions
+        return portfolio_permission in user_portfolio_perms._get_portfolio_permissions()
 
-    # the methods below are checks for individual portfolio permissions. They are defined here
-    # to make them easier to call elsewhere throughout the application
-    def has_base_portfolio_permission(self):
-        return self._has_portfolio_permission(UserPortfolioPermissionChoices.VIEW_PORTFOLIO)
+    def has_base_portfolio_permission(self, portfolio):
+        return self._has_portfolio_permission(portfolio, UserPortfolioPermissionChoices.VIEW_PORTFOLIO)
 
-    def has_edit_org_portfolio_permission(self):
-        return self._has_portfolio_permission(UserPortfolioPermissionChoices.EDIT_PORTFOLIO)
+    def has_edit_org_portfolio_permission(self, portfolio):
+        return self._has_portfolio_permission(portfolio, UserPortfolioPermissionChoices.EDIT_PORTFOLIO)
 
-    def has_domains_portfolio_permission(self):
+    def has_domains_portfolio_permission(self, portfolio):
         return self._has_portfolio_permission(
-            UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS
-        ) or self._has_portfolio_permission(UserPortfolioPermissionChoices.VIEW_MANAGED_DOMAINS)
+            portfolio, UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS
+        ) or self._has_portfolio_permission(portfolio, UserPortfolioPermissionChoices.VIEW_MANAGED_DOMAINS)
 
-    def has_domain_requests_portfolio_permission(self):
+    def has_domain_requests_portfolio_permission(self, portfolio):
         return self._has_portfolio_permission(
-            UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS
-        ) or self._has_portfolio_permission(UserPortfolioPermissionChoices.VIEW_CREATED_REQUESTS)
+            portfolio, UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS
+        ) or self._has_portfolio_permission(portfolio, UserPortfolioPermissionChoices.VIEW_CREATED_REQUESTS)
 
-    def has_view_all_domains_permission(self):
+    def has_view_all_domains_permission(self, portfolio):
         """Determines if the current user can view all available domains in a given portfolio"""
-        return self._has_portfolio_permission(UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS)
+        return self._has_portfolio_permission(portfolio, UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS)
 
     # Field specific permission checks
-    def has_view_suborganization(self):
-        return self._has_portfolio_permission(UserPortfolioPermissionChoices.VIEW_SUBORGANIZATION)
+    def has_view_suborganization(self, portfolio):
+        return self._has_portfolio_permission(portfolio, UserPortfolioPermissionChoices.VIEW_SUBORGANIZATION)
 
-    def has_edit_suborganization(self):
-        return self._has_portfolio_permission(UserPortfolioPermissionChoices.EDIT_SUBORGANIZATION)
+    def has_edit_suborganization(self, portfolio):
+        return self._has_portfolio_permission(portfolio, UserPortfolioPermissionChoices.EDIT_SUBORGANIZATION)
+
+    def get_first_portfolio(self):
+        permission = self.portfolio_permissions.first()
+        if permission:
+            return permission.portfolio
+        return None
 
     @classmethod
     def needs_identity_verification(cls, email, uuid):
@@ -406,7 +358,14 @@ class User(AbstractUser):
         for invitation in PortfolioInvitation.objects.filter(
             email__iexact=self.email, status=PortfolioInvitation.PortfolioInvitationStatus.INVITED
         ):
-            if self.portfolio is None:
+            # need to create a bogus request and assign user to it, in order to pass request
+            # to flag_is_active
+            request = HttpRequest()
+            request.user = self
+            only_single_portfolio = (
+                not flag_is_active(request, "multiple_portfolios") and self.get_first_portfolio() is None
+            )
+            if only_single_portfolio or flag_is_active(None, "multiple_portfolios"):
                 try:
                     invitation.retrieve()
                     invitation.save()
@@ -431,13 +390,17 @@ class User(AbstractUser):
         self.check_domain_invitations_on_login()
         self.check_portfolio_invitations_on_login()
 
+    # NOTE TO DAVE: I'd simply suggest that we move these functions outside of the user object,
+    # and move them to some sort of utility file. That way we aren't calling request inside here.
     def is_org_user(self, request):
         has_organization_feature_flag = flag_is_active(request, "organization_feature")
-        return has_organization_feature_flag and self.has_base_portfolio_permission()
+        portfolio = request.session.get("portfolio")
+        return has_organization_feature_flag and self.has_base_portfolio_permission(portfolio)
 
     def get_user_domain_ids(self, request):
         """Returns either the domains ids associated with this user on UserDomainRole or Portfolio"""
-        if self.is_org_user(request) and self.has_view_all_domains_permission():
-            return DomainInformation.objects.filter(portfolio=self.portfolio).values_list("domain_id", flat=True)
+        portfolio = request.session.get("portfolio")
+        if self.is_org_user(request) and self.has_view_all_domains_permission(portfolio):
+            return DomainInformation.objects.filter(portfolio=portfolio).values_list("domain_id", flat=True)
         else:
             return UserDomainRole.objects.filter(user=self).values_list("domain_id", flat=True)

src/registrar/models/user_portfolio_permission.py

@@ -0,0 +1,119 @@
+from django.db import models
+from django.forms import ValidationError
+from django.http import HttpRequest
+from waffle import flag_is_active
+from registrar.models.utility.portfolio_helper import UserPortfolioPermissionChoices, UserPortfolioRoleChoices
+from .utility.time_stamped_model import TimeStampedModel
+from django.contrib.postgres.fields import ArrayField
+
+
+class UserPortfolioPermission(TimeStampedModel):
+    """This is a linking table that connects a user with a role on a portfolio."""
+
+    class Meta:
+        unique_together = ["user", "portfolio"]
+
+    PORTFOLIO_ROLE_PERMISSIONS = {
+        UserPortfolioRoleChoices.ORGANIZATION_ADMIN: [
+            UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS,
+            UserPortfolioPermissionChoices.VIEW_MEMBER,
+            UserPortfolioPermissionChoices.EDIT_MEMBER,
+            UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS,
+            UserPortfolioPermissionChoices.EDIT_REQUESTS,
+            UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
+            UserPortfolioPermissionChoices.EDIT_PORTFOLIO,
+            # Domain: field specific permissions
+            UserPortfolioPermissionChoices.VIEW_SUBORGANIZATION,
+            UserPortfolioPermissionChoices.EDIT_SUBORGANIZATION,
+        ],
+        UserPortfolioRoleChoices.ORGANIZATION_ADMIN_READ_ONLY: [
+            UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS,
+            UserPortfolioPermissionChoices.VIEW_MEMBER,
+            UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS,
+            UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
+            # Domain: field specific permissions
+            UserPortfolioPermissionChoices.VIEW_SUBORGANIZATION,
+        ],
+        UserPortfolioRoleChoices.ORGANIZATION_MEMBER: [
+            UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
+        ],
+    }
+
+    user = models.ForeignKey(
+        "registrar.User",
+        null=False,
+        # when a user is deleted, permissions are too
+        on_delete=models.CASCADE,
+        related_name="portfolio_permissions",
+    )
+
+    portfolio = models.ForeignKey(
+        "registrar.Portfolio",
+        null=False,
+        # when a portfolio is deleted, permissions are too
+        on_delete=models.CASCADE,
+        related_name="portfolio_users",
+    )
+
+    roles = ArrayField(
+        models.CharField(
+            max_length=50,
+            choices=UserPortfolioRoleChoices.choices,
+        ),
+        null=True,
+        blank=True,
+        help_text="Select one or more roles.",
+    )
+
+    additional_permissions = ArrayField(
+        models.CharField(
+            max_length=50,
+            choices=UserPortfolioPermissionChoices.choices,
+        ),
+        null=True,
+        blank=True,
+        help_text="Select one or more additional permissions.",
+    )
+
+    def __str__(self):
+        return f"User '{self.user}' on Portfolio '{self.portfolio}' " f"<Roles: {self.roles}>" if self.roles else ""
+
+    def _get_portfolio_permissions(self):
+        """
+        Retrieve the permissions for the user's portfolio roles.
+        """
+        # Use a set to avoid duplicate permissions
+        portfolio_permissions = set()
+
+        if self.roles:
+            for role in self.roles:
+                portfolio_permissions.update(self.PORTFOLIO_ROLE_PERMISSIONS.get(role, []))
+
+        if self.additional_permissions:
+            portfolio_permissions.update(self.additional_permissions)
+
+        return list(portfolio_permissions)
+
+    def clean(self):
+        """Extends clean method to perform additional validation, which can raise errors in django admin."""
+        super().clean()
+
+        # Check if a user is set without accessing the related object.
+        has_user = bool(self.user_id)
+        if self.pk is None and has_user:
+            # Have to create a bogus request to set the user and pass to flag_is_active
+            request = HttpRequest()
+            request.user = self.user
+            existing_permissions = UserPortfolioPermission.objects.filter(user=self.user)
+            if not flag_is_active(request, "multiple_portfolios") and existing_permissions.exists():
+                raise ValidationError(
+                    "Only one portfolio permission is allowed per user when multiple portfolios are disabled."
+                )
+
+        # Check if portfolio is set without accessing the related object.
+        has_portfolio = bool(self.portfolio_id)
+        if not has_portfolio and self._get_portfolio_permissions():
+            raise ValidationError("When portfolio roles or additional permissions are assigned, portfolio is required.")
+
+        if has_portfolio and not self._get_portfolio_permissions():
+            raise ValidationError("When portfolio is assigned, portfolio roles or additional permissions are required.")