diff --git a/src/registrar/assets/js/get-gov-admin.js b/src/registrar/assets/js/get-gov-admin.js
index ad759f445..4797e2d21 100644
--- a/src/registrar/assets/js/get-gov-admin.js
+++ b/src/registrar/assets/js/get-gov-admin.js
@@ -296,6 +296,8 @@ function openInNewTab(el, removeAttribute = false){
// "to" select list
checkToListThenInitWidget('id_groups_to', 0);
checkToListThenInitWidget('id_user_permissions_to', 0);
+ checkToListThenInitWidget('id_portfolio_roles_to', 0);
+ checkToListThenInitWidget('id_portfolio_additional_permissions_to', 0);
})();
// Function to check for the existence of the "to" select list element in the DOM, and if and when found,
diff --git a/src/registrar/assets/sass/_theme/_tables.scss b/src/registrar/assets/sass/_theme/_tables.scss
index cf41dcd1f..304dffb9c 100644
--- a/src/registrar/assets/sass/_theme/_tables.scss
+++ b/src/registrar/assets/sass/_theme/_tables.scss
@@ -34,22 +34,6 @@
pointer-events: none;
}
}
-
- // Ticket #1510
- // @include at-media('desktop') {
- // th:first-child {
- // width: 220px;
- // }
- // th:nth-child(2) {
- // width: 175px;
- // }
- // th:nth-child(3) {
- // width: 130px;
- // }
- // th:nth-child(5) {
- // width: 130px;
- // }
- // }
}
.dotgov-table {
diff --git a/src/registrar/models/user.py b/src/registrar/models/user.py
index 9b0a14b07..9d1f43d76 100644
--- a/src/registrar/models/user.py
+++ b/src/registrar/models/user.py
@@ -138,7 +138,7 @@ class User(AbstractUser):
null=True,
blank=True,
related_name="user",
- on_delete=models.PROTECT,
+ on_delete=models.SET_NULL,
)
portfolio_roles = ArrayField(
@@ -250,35 +250,35 @@ class User(AbstractUser):
def has_contact_info(self):
return bool(self.title or self.email or self.phone)
- def has_role(self, role):
- """Do not rely on roles when testing for perms in views"""
- return role in self.portfolio_roles if self.portfolio_roles else False
-
def has_portfolio_permission(self, portfolio_permission):
"""The views should only call this guy when testing for perms and not rely on roles"""
+ print(f"IN has_portfolio_permission")
+
# EDIT_DOMAINS === user is a manager on a domain (has UserDomainRole)
# NOTE: Should we check whether the domain is in the portfolio?
if portfolio_permission == self.UserPortfolioPermissionChoices.EDIT_DOMAINS and self.domains.exists():
return True
-
+
if not self.portfolio:
return False
-
- portfolio_permissions = self.get_portfolio_permissions()
+
+ portfolio_permissions = self._get_portfolio_permissions()
return portfolio_permission in portfolio_permissions
- def get_portfolio_permissions(self):
+ def _get_portfolio_permissions(self):
"""
Retrieve the permissions for the user's portfolio roles.
"""
portfolio_permissions = set() # Use a set to avoid duplicate permissions
- for role in self.portfolio_roles:
- if role in self.PORTFOLIO_ROLE_PERMISSIONS:
- portfolio_permissions.update(self.PORTFOLIO_ROLE_PERMISSIONS[role])
- portfolio_permissions.update(self.portfolio_additional_permissions)
+ if self.portfolio_roles:
+ for role in self.portfolio_roles:
+ if role in self.PORTFOLIO_ROLE_PERMISSIONS:
+ portfolio_permissions.update(self.PORTFOLIO_ROLE_PERMISSIONS[role])
+ if self.portfolio_additional_permissions:
+ portfolio_permissions.update(self.portfolio_additional_permissions)
return list(portfolio_permissions) # Convert back to list if necessary
@classmethod
diff --git a/src/registrar/tests/test_admin.py b/src/registrar/tests/test_admin.py
index b77a1faf4..23fc4c34d 100644
--- a/src/registrar/tests/test_admin.py
+++ b/src/registrar/tests/test_admin.py
@@ -3710,6 +3710,22 @@ class TestMyUserAdmin(MockDb):
expected_href = reverse("admin:registrar_domain_change", args=[domain_deleted.pk])
self.assertNotContains(response, expected_href)
+ def test_analyst_can_see_selects_for_portfolio_role_and_permissions_in_user_form(self):
+ """Can only test for the presence of a base element. The multiselects and the h2->h3 conversion are all
+ dynamically generated."""
+
+ p = "userpass"
+ self.client.login(username="staffuser", password=p)
+ response = self.client.get(
+ "/admin/registrar/user/{}/change/".format(self.meoward_user.id),
+ follow=True,
+ )
+
+ self.assertEqual(response.status_code, 200)
+
+ self.assertContains(response,"Portfolio roles:")
+ self.assertContains(response,"Portfolio additional permissions:")
+
class AuditedAdminTest(TestCase):
def setUp(self):
diff --git a/src/registrar/tests/test_models.py b/src/registrar/tests/test_models.py
index 0c5ca9193..be0acf2fe 100644
--- a/src/registrar/tests/test_models.py
+++ b/src/registrar/tests/test_models.py
@@ -19,6 +19,7 @@ from registrar.models import (
)
import boto3_mocking
+from registrar.models.portfolio import Portfolio
from registrar.models.transition_domain import TransitionDomain
from registrar.models.verified_by_staff import VerifiedByStaff # type: ignore
from registrar.utility.constants import BranchChoices
@@ -1214,6 +1215,66 @@ class TestUser(TestCase):
self.user.phone = None
self.assertFalse(self.user.has_contact_info())
+ def test_has_portfolio_permission(self):
+ """
+ 0. Returns False when user does not have a permission
+ 1. Returns False when a user does not have a portfolio
+ 2. Returns True when user has direct permission
+ 3. Returns True when user has permission through a role
+ 4. Returns True EDIT_DOMAINS when user does not have the perm but has UserDomainRole
+
+ Note: This tests _get_portfolio_permissions as a side effect
+ """
+ portfolio, _ = Portfolio.objects.get_or_create(creator=self.user, organization_name="Hotel California")
+
+ self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_DOMAINS]
+ self.user.save()
+ self.user.refresh_from_db()
+
+ user_can_view_domains = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_DOMAINS)
+ user_can_view_requests = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_REQUESTS)
+ user_can_edit_domains = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.EDIT_DOMAINS)
+
+ self.assertFalse(user_can_view_domains)
+ self.assertFalse(user_can_view_requests)
+ self.assertFalse(user_can_edit_domains)
+
+ self.user.portfolio=portfolio
+ self.user.save()
+ self.user.refresh_from_db()
+
+ user_can_view_domains = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_DOMAINS)
+ user_can_view_requests = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_REQUESTS)
+ user_can_edit_domains = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.EDIT_DOMAINS)
+
+ self.assertTrue(user_can_view_domains)
+ self.assertFalse(user_can_view_requests)
+ self.assertFalse(user_can_edit_domains)
+
+ self.user.portfolio_roles = [User.UserPortfolioRoleChoices.ORGANIZATION_ADMIN]
+ self.user.save()
+ self.user.refresh_from_db()
+
+ user_can_view_domains = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_DOMAINS)
+ user_can_view_requests = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_REQUESTS)
+ user_can_edit_domains = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.EDIT_DOMAINS)
+
+ self.assertTrue(user_can_view_domains)
+ self.assertTrue(user_can_view_requests)
+ self.assertFalse(user_can_edit_domains)
+
+ UserDomainRole.objects.all().get_or_create(user=self.user, domain=self.domain, role=UserDomainRole.Roles.MANAGER)
+
+ user_can_view_domains = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_DOMAINS)
+ user_can_view_requests = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.VIEW_REQUESTS)
+ user_can_edit_domains = self.user.has_portfolio_permission(User.UserPortfolioPermissionChoices.EDIT_DOMAINS)
+
+ self.assertTrue(user_can_view_domains)
+ self.assertTrue(user_can_view_requests)
+ self.assertTrue(user_can_edit_domains)
+
+ Portfolio.objects.all().delete()
+
class TestContact(TestCase):
def setUp(self):
diff --git a/src/registrar/tests/test_views.py b/src/registrar/tests/test_views.py
index 7ff054ef6..c52fd3b00 100644
--- a/src/registrar/tests/test_views.py
+++ b/src/registrar/tests/test_views.py
@@ -958,22 +958,22 @@ class PortfoliosTests(TestWithUser, WebTest):
session_id = self.app.cookies[settings.SESSION_COOKIE_NAME]
self.app.set_cookie(settings.SESSION_COOKIE_NAME, session_id)
- @less_console_noise_decorator
- def test_middleware_redirects_to_portfolio_homepage(self):
- """Tests that a user is redirected to the portfolio homepage when organization_feature is on and
- a portfolio belongs to the user, test for the special h1s which only exist in that version
- of the homepage"""
- self.app.set_user(self.user.username)
- with override_flag("organization_feature", active=True):
- # This will redirect the user to the portfolio page.
- # Follow implicity checks if our redirect is working.
- portfolio_page = self.app.get(reverse("home")).follow()
- self._set_session_cookie()
+ # @less_console_noise_decorator
+ # def test_middleware_redirects_to_portfolio_homepage(self):
+ # """Tests that a user is redirected to the portfolio homepage when organization_feature is on and
+ # a portfolio belongs to the user, test for the special h1s which only exist in that version
+ # of the homepage"""
+ # self.app.set_user(self.user.username)
+ # with override_flag("organization_feature", active=True):
+ # # This will redirect the user to the portfolio page.
+ # # Follow implicity checks if our redirect is working.
+ # portfolio_page = self.app.get(reverse("home")).follow()
+ # self._set_session_cookie()
- # Assert that we're on the right page
- self.assertContains(portfolio_page, self.portfolio.organization_name)
+ # # Assert that we're on the right page
+ # self.assertContains(portfolio_page, self.portfolio.organization_name)
- self.assertContains(portfolio_page, 'Domains
')
+ # self.assertContains(portfolio_page, 'Domains
')
@less_console_noise_decorator
def test_no_redirect_when_org_flag_false(self):
diff --git a/src/registrar/tests/test_views_portfolio.py b/src/registrar/tests/test_views_portfolio.py
new file mode 100644
index 000000000..9f1f386f1
--- /dev/null
+++ b/src/registrar/tests/test_views_portfolio.py
@@ -0,0 +1,203 @@
+from unittest import skip
+from unittest.mock import MagicMock, ANY, patch
+
+from django.conf import settings
+from django.urls import reverse
+from django.contrib.auth import get_user_model
+
+from api.tests.common import less_console_noise_decorator
+from registrar.models.portfolio import Portfolio
+
+from .common import MockEppLib, MockSESClient, create_user # type: ignore
+from django_webtest import WebTest # type: ignore
+import boto3_mocking # type: ignore
+
+from registrar.utility.errors import (
+ NameserverError,
+ NameserverErrorCodes,
+ SecurityEmailError,
+ SecurityEmailErrorCodes,
+ GenericError,
+ GenericErrorCodes,
+ DsDataError,
+ DsDataErrorCodes,
+)
+
+from registrar.models import (
+ DomainRequest,
+ Domain,
+ DomainInformation,
+ DomainInvitation,
+ Contact,
+ PublicContact,
+ Host,
+ HostIP,
+ UserDomainRole,
+ User,
+ FederalAgency,
+)
+from datetime import date, datetime, timedelta
+from django.utils import timezone
+
+from .common import less_console_noise
+from .test_views import TestWithUser
+from waffle.testutils import override_flag
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class TestPortfolioViews(TestWithUser, WebTest):
+ def setUp(self):
+ super().setUp()
+ self.domain, _ = Domain.objects.get_or_create(name="igorville.gov")
+ self.portfolio, _ = Portfolio.objects.get_or_create(creator=self.user, organization_name="Hotel California")
+ self.role, _ = UserDomainRole.objects.get_or_create(
+ user=self.user, domain=self.domain, role=UserDomainRole.Roles.MANAGER
+ )
+
+ @less_console_noise_decorator
+ def test_middleware_does_not_redirect_if_no_permission(self):
+ """"""
+ self.app.set_user(self.user.username)
+ self.user.portfolio=self.portfolio
+ self.user.save()
+ self.user.refresh_from_db()
+ with override_flag("organization_feature", active=True):
+ # This will redirect the user to the portfolio page.
+ # Follow implicity checks if our redirect is working.
+ portfolio_page = self.app.get(reverse("home"))
+ # Assert that we're on the right page
+ self.assertNotContains(portfolio_page, self.portfolio.organization_name)
+
+ @less_console_noise_decorator
+ def test_middleware_does_not_redirect_if_no_portfolio(self):
+ """ """
+ self.app.set_user(self.user.username)
+ self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO]
+ self.user.save()
+ self.user.refresh_from_db()
+ with override_flag("organization_feature", active=True):
+ # This will redirect the user to the portfolio page.
+ # Follow implicity checks if our redirect is working.
+ portfolio_page = self.app.get(reverse("home"))
+ # Assert that we're on the right page
+ self.assertNotContains(portfolio_page, self.portfolio.organization_name)
+
+ @less_console_noise_decorator
+ def test_middleware_redirects_to_portfolio_organization_page(self):
+ """"""
+ self.app.set_user(self.user.username)
+ self.user.portfolio=self.portfolio
+ self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO]
+ self.user.save()
+ self.user.refresh_from_db()
+ with override_flag("organization_feature", active=True):
+ # This will redirect the user to the portfolio page.
+ # Follow implicity checks if our redirect is working.
+ portfolio_page = self.app.get(reverse("home")).follow()
+ # Assert that we're on the right page
+ self.assertContains(portfolio_page, self.portfolio.organization_name)
+ self.assertContains(portfolio_page, 'Organization
')
+
+ @less_console_noise_decorator
+ def test_middleware_redirects_to_portfolio_domains_page(self):
+ """"""
+ self.app.set_user(self.user.username)
+ self.user.portfolio=self.portfolio
+ self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO, User.UserPortfolioPermissionChoices.VIEW_DOMAINS]
+ self.user.save()
+ self.user.refresh_from_db()
+ with override_flag("organization_feature", active=True):
+ # This will redirect the user to the portfolio page.
+ # Follow implicity checks if our redirect is working.
+ portfolio_page = self.app.get(reverse("home")).follow()
+ # Assert that we're on the right page
+ self.assertContains(portfolio_page, self.portfolio.organization_name)
+ self.assertNotContains(portfolio_page, 'Organization
')
+ self.assertContains(portfolio_page, 'Domains
')
+
+ @less_console_noise_decorator
+ def test_portfolio_domains_page_403_when_user_not_have_permission(self):
+ """"""
+ self.app.set_user(self.user.username)
+ self.user.portfolio=self.portfolio
+ self.user.save()
+ self.user.refresh_from_db()
+ with override_flag("organization_feature", active=True):
+ # This will redirect the user to the portfolio page.
+ # Follow implicity checks if our redirect is working.
+ response = self.app.get(reverse("portfolio-domains", kwargs={"portfolio_id": self.portfolio.pk}), status=403)
+ # Assert the response is a 403
+ # Assert the response is a 403 Forbidden
+ self.assertEqual(response.status_code, 403)
+
+ @less_console_noise_decorator
+ def test_portfolio_domain_requests_page_403_when_user_not_have_permission(self):
+ """"""
+ self.app.set_user(self.user.username)
+ self.user.portfolio=self.portfolio
+ self.user.save()
+ self.user.refresh_from_db()
+ with override_flag("organization_feature", active=True):
+ # This will redirect the user to the portfolio page.
+ # Follow implicity checks if our redirect is working.
+ response = self.app.get(reverse("portfolio-domain-requests", kwargs={"portfolio_id": self.portfolio.pk}), status=403)
+ # Assert the response is a 403
+ # Assert the response is a 403 Forbidden
+ self.assertEqual(response.status_code, 403)
+
+ @less_console_noise_decorator
+ def test_portfolio_organization_page_403_when_user_not_have_permission(self):
+ """"""
+ self.app.set_user(self.user.username)
+ self.user.portfolio=self.portfolio
+ self.user.save()
+ self.user.refresh_from_db()
+ with override_flag("organization_feature", active=True):
+ # This will redirect the user to the portfolio page.
+ # Follow implicity checks if our redirect is working.
+ response = self.app.get(reverse("portfolio-organization", kwargs={"portfolio_id": self.portfolio.pk}), status=403)
+ # Assert the response is a 403
+ # Assert the response is a 403 Forbidden
+ self.assertEqual(response.status_code, 403)
+
+ @less_console_noise_decorator
+ def test_navigation_links_hidden_when_user_not_have_permission(self):
+ """This test is AMAZING"""
+ self.app.set_user(self.user.username)
+ self.user.portfolio=self.portfolio
+ self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO, User.UserPortfolioPermissionChoices.VIEW_DOMAINS, User.UserPortfolioPermissionChoices.VIEW_REQUESTS]
+ self.user.save()
+ self.user.refresh_from_db()
+ with override_flag("organization_feature", active=True):
+ # This will redirect the user to the portfolio page.
+ # Follow implicity checks if our redirect is working.
+ portfolio_page = self.app.get(reverse("home")).follow()
+ # Assert that we're on the right page
+ self.assertContains(portfolio_page, self.portfolio.organization_name)
+ self.assertNotContains(portfolio_page, 'Organization
')
+ self.assertContains(portfolio_page, 'Domains
')
+ self.assertContains(portfolio_page, reverse("portfolio-domains", kwargs={"portfolio_id": self.portfolio.pk}))
+ self.assertContains(portfolio_page, reverse("portfolio-domain-requests", kwargs={"portfolio_id": self.portfolio.pk}))
+
+ self.user.portfolio_additional_permissions = [User.UserPortfolioPermissionChoices.VIEW_PORTFOLIO]
+ self.user.save()
+ self.user.refresh_from_db()
+
+ portfolio_page = self.app.get(reverse("home")).follow()
+
+ self.assertContains(portfolio_page, self.portfolio.organization_name)
+ self.assertContains(portfolio_page, 'Organization
')
+ self.assertNotContains(portfolio_page, 'Domains
')
+ self.assertNotContains(portfolio_page, reverse("portfolio-domains", kwargs={"portfolio_id": self.portfolio.pk}))
+ self.assertNotContains(portfolio_page, reverse("portfolio-domain-requests", kwargs={"portfolio_id": self.portfolio.pk}))
+
+ def tearDown(self):
+ Portfolio.objects.all().delete()
+ UserDomainRole.objects.all().delete()
+ DomainRequest.objects.all().delete()
+ DomainInformation.objects.all().delete()
+ Domain.objects.all().delete()
+ super().tearDown()