Closed angela-tran closed 2 months ago
Split out the permissions/access of model configuration views into a separate ticket (#2278)
This ticket is now solely focused on the permissions/access for in-person enrollment views
This ticket is really saying "make sure the user is associated to a TransitAgency upon login".
So we don't need any middleware
@thekaveman helped me reframe this ticket so that instead of reacting to the user being in a bad state, we do as much as we can to put the user in a good state from the very beginning.
I updated the description to reflect this
Depends on #2295 and #2284
The in-person enrollment pages assume they are in the context of some transit agency. Therefore, we wouldn't want the user to not be associated to a transit agency and attempt to view the in-person enrollment pages.
Previously, the idea was that an admin from Cal-ITP would manually associate the user to their transit agency by adding the user to a group that is referenced by the
TransitAgency
.However, we can minimize the time in which a user is transit-agency-less by automatically associating the user to a transit agency based on the domain from their email.
We don't necessarily want every user associated with the transit agency to be able to do in-person enrollment, so we need a separate group to represent having permission to do that. That is the group to which they need to be manually added by a Cal-ITP admin. If the user is not in that group yet, they will not see the part of the UI for "In-person enrollment."
Technical details
Each
TransitAgency
will have a reference to aGroup
from the Django admin site via astaff_group
field. This represents being associated with theTransitAgency
(i.e. "belonging to" theTransitAgency
.)They will each also have a reference to a
Group
via acustomer_service_group
field. This represents having permission to do in-person enrollment.Implementation
Model changes
staff_group
field toTransitAgency
which is aForeignKey
to theGroup
model fromdjango.contrib.auth
on_delete
should bemodels.PROTECT
which means if someone tries to delete theGroup
, they need to first go remove the reference from theTransitAgency
staff_group
but forcustomer_service_group
insteadsso_domain
field toTransitAgency
which is used to map to the user's email domainView changes
No view changes needed. It will be very unlikely for the user to not have a transit agency, due to the automatic association using
sso_domain
. We're ok with the app showing some generic error screen if somehow that very unlikely situation happens.Acceptance Criteria