Add domain invitation permissions to analyst

2025-07-23 19:20:47 +02:00 · 2023-10-11 11:59:52 -07:00 · 2023-10-11 11:59:52 -07:00 · de87f0c773
commit de87f0c773
parent 1550fde832
4 changed files with 47 additions and 3 deletions
--- a/docs/django-admin/roles.md
+++ b/docs/django-admin/roles.md
@ -13,7 +13,8 @@ For more details, refer to the [user group model](../../src/registrar/models/use

 We can edit and deploy new group permissions by:

-1. editing `user_group` then:
+1. Editing `user_group` then:
 2. Duplicating migration `0036_create_groups_01`
 and running migrations (append the name with a version number
 to help django detect the migration eg 0037_create_groups_02)
+3. Making sure to update the dependency on the new migration with the previous migration
--- a/src/registrar/migrations/0038_create_groups_v02.py
+++ b/src/registrar/migrations/0038_create_groups_v02.py
@ -0,0 +1,36 @@
+# This migration creates the create_full_access_group and create_cisa_analyst_group groups
+# It is dependent on 0035 (which populates ContentType and Permissions)
+# If permissions on the groups need changing, edit CISA_ANALYST_GROUP_PERMISSIONS
+# in the user_group model then:
+# [NOT RECOMMENDED]
+# step 1: docker-compose exec app ./manage.py migrate --fake registrar 0035_contenttypes_permissions
+# step 2: docker-compose exec app ./manage.py migrate registrar 0036_create_groups
+# step 3: fake run the latest migration in the migrations list
+# [RECOMMENDED]
+# Alternatively:
+# Only step: duplicate the migration that loads data and run: docker-compose exec app ./manage.py migrate
+
+from django.db import migrations
+from registrar.models import UserGroup
+from typing import Any
+
+
+# For linting: RunPython expects a function reference,
+# so let's give it one
+def create_groups(apps, schema_editor) -> Any:
+    UserGroup.create_cisa_analyst_group(apps, schema_editor)
+    UserGroup.create_full_access_group(apps, schema_editor)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("registrar", "0037_create_groups_v01"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            create_groups,
+            reverse_code=migrations.RunPython.noop,
+            atomic=True,
+        ),
+    ]
--- a/src/registrar/models/user_group.py
+++ b/src/registrar/models/user_group.py
@ -51,6 +51,11 @@ class UserGroup(Group):
                "model": "user",
                "permissions": ["analyst_access_permission", "change_user"],
            },
+            {
+                "app_label": "registrar",
+                "model": "domaininvitation",
+                "permissions": ["add_domaininvitation", "view_domaininvitation"],
+            },
        ]

        # Avoid error: You can't execute queries until the end
--- a/src/registrar/tests/test_migrations.py
+++ b/src/registrar/tests/test_migrations.py
@ -31,7 +31,7 @@ class TestGroups(TestCase):
            UserGroup.objects.filter(name="full_access_group"), [full_access_group]
        )

-        # Test permissions for cisa_analysts_group
+        # Test permissions data migrations for cisa_analysts_group ran as expected
        # Define the expected permission codenames
        expected_permissions = [
            "view_logentry",
@ -42,6 +42,8 @@ class TestGroups(TestCase):
            "change_draftdomain",
            "analyst_access_permission",
            "change_user",
+            "add_domaininvitation",
+            "view_domaininvitation"
        ]

        # Get the codenames of actual permissions associated with the group