manage.get.gov/src/registrar/models/user_group.py

from django.contrib.auth.models import Group
import logging

logger = logging.getLogger(__name__)


class UserGroup(Group):
    """
    UserGroup sets read and write permissions for superusers (who have full access)
    and analysts. For more details, see the dev docs for user-permissions.
    """

    class Meta:
        verbose_name = "User group"
        verbose_name_plural = "User groups"

    def create_cisa_analyst_group(apps, schema_editor):
        """This method gets run from a data migration."""

        # Hard to pass self to these methods as the calls from migrations
        # are only expecting apps and schema_editor, so we'll just define
        # apps, schema_editor in the local scope instead
        CISA_ANALYST_GROUP_PERMISSIONS = [
            {
                "app_label": "auditlog",
                "model": "logentry",
                "permissions": ["view_logentry"],
            },
            {
                "app_label": "registrar",
                "model": "contact",
                "permissions": ["change_contact"],
            },
            {
                "app_label": "registrar",
                "model": "domainrequest",
                "permissions": ["change_domainrequest"],
            },
            {
                "app_label": "registrar",
                "model": "domain",
                "permissions": ["view_domain"],
            },
            {
                "app_label": "registrar",
                "model": "user",
                "permissions": ["analyst_access_permission", "change_user"],
            },
            {
                "app_label": "registrar",
                "model": "domaininvitation",
                "permissions": ["add_domaininvitation", "view_domaininvitation"],
            },
            {
                "app_label": "registrar",
                "model": "userdomainrole",
                "permissions": ["view_userdomainrole", "delete_userdomainrole"],
            },
            {
                "app_label": "registrar",
                "model": "verifiedbystaff",
                "permissions": ["add_verifiedbystaff", "change_verifiedbystaff", "delete_verifiedbystaff"],
            },
            {
                "app_label": "registrar",
                "model": "federalagency",
                "permissions": ["add_federalagency", "change_federalagency", "delete_federalagency"],
            },
        ]

        # Avoid error: You can't execute queries until the end
        # of the 'atomic' block.
        # From django docs:
        # https://docs.djangoproject.com/en/4.2/topics/migrations/#data-migrations
        # We can’t import the Person model directly as it may be a newer
        # version than this migration expects. We use the historical version.
        ContentType = apps.get_model("contenttypes", "ContentType")
        Permission = apps.get_model("auth", "Permission")
        UserGroup = apps.get_model("registrar", "UserGroup")

        logger.info("Going to create the Analyst Group")
        try:
            cisa_analysts_group, _ = UserGroup.objects.get_or_create(
                name="cisa_analysts_group",
            )

            cisa_analysts_group.permissions.clear()

            for permission in CISA_ANALYST_GROUP_PERMISSIONS:
                app_label = permission["app_label"]
                model_name = permission["model"]
                permissions = permission["permissions"]

                # Retrieve the content type for the app and model
                content_type = ContentType.objects.get(app_label=app_label, model=model_name)

                # Retrieve the permissions based on their codenames
                permissions = Permission.objects.filter(content_type=content_type, codename__in=permissions)

                # Assign the permissions to the group
                cisa_analysts_group.permissions.add(*permissions)

                # Convert the permissions QuerySet to a list of codenames
                permission_list = list(permissions.values_list("codename", flat=True))

                logger.debug(
                    app_label
                    + " | "
                    + model_name
                    + " | "
                    + ", ".join(permission_list)
                    + " added to group "
                    + cisa_analysts_group.name
                )

                cisa_analysts_group.save()
                logger.debug("CISA Analyst permissions added to group " + cisa_analysts_group.name)
        except Exception as e:
            logger.error(f"Error creating analyst permissions group: {e}")

    def create_full_access_group(apps, schema_editor):
        """This method gets run from a data migration."""

        Permission = apps.get_model("auth", "Permission")
        UserGroup = apps.get_model("registrar", "UserGroup")

        logger.info("Going to create the Full Access Group")
        try:
            full_access_group, _ = UserGroup.objects.get_or_create(
                name="full_access_group",
            )
            # Get all available permissions
            all_permissions = Permission.objects.all()

            # Assign all permissions to the group
            full_access_group.permissions.add(*all_permissions)

            full_access_group.save()
            logger.debug("All permissions added to group " + full_access_group.name)
        except Exception as e:
            logger.error(f"Error creating full access group: {e}")