For the org model MVP, we have several features that we need to show/hide based on user permissions, such as domain management, managing requests, user management (at the whole portfolio level) and so on. That said, as we build out views for domain management in particular, we are going to need to have a permission system in place so that we can get started with these conditional views.
We also, are only showing portfolio based on the creator of the portfolio, but the goal will be to retrieve the portfolio that the user has permissions to, just like we currently get the domains they have management rights to.
The third thing permissions will be used for is showing a human readable permission next to user names such as "org member", "domain manager" "admin" and "read-only admin". This human readable name will eventually need to appear in the both django admin (for easy analyst viewing) and in a Portfolio User Management page to our users.
The scope of this ticket:
Given the above needs, set up the foundation for permissions, such that at the completion of this ticket, a developer could
easily associate the org_model flag to an org_member user group
add a UserPortfolioRole to their user account
have permissions change for their user account to match the role(s) assigned
Acceptance criteria
[ ] UserPortfolioRole table is created and linked to the User table see the miro for specifics
[ ] create a new usergroup for org members, with the permission "org_member_basic" (note this is the most minimal permissions expected-viewing org details- see the "basic" column in the previous miro and feel free to rename to something better or to change it to specifically call out org_member_details_view)
[ ] permissions are associated with each role in a way that will make changing permissions in the future easy- see below
[ ] Adding/ modifying a userportfolio roles adds/removes permissions accordingly (see below)
[ ] Adding a userPortolioRole for a user adds them to the usergroup if it exists
[ ] deleting a userportfolio role removes the user from the group (if the group exists)
[ ] general infrastructure is laid out so that in the next ticket we can check user permissions on the Domains table view and conditionally show the table if they have the correct permissions as defined in the miro.
Additional context
For permissions, we could do a table for permissions or just use enums. If using enums I would associate each role with unique permissions that can build/layer on top of eachother.
For UserPortfolioRoles modifying user permissions, I would avoid using signals if possible and try to use the on save feature and overriding the built in delete function as needed.
*note for overriding delete, just do
def delete(self, *args, **kwargs):
#remove from the user group
super().delete(*args, **kwargs)
Issue description
For the org model MVP, we have several features that we need to show/hide based on user permissions, such as domain management, managing requests, user management (at the whole portfolio level) and so on. That said, as we build out views for domain management in particular, we are going to need to have a permission system in place so that we can get started with these conditional views.
We also, are only showing portfolio based on the creator of the portfolio, but the goal will be to retrieve the portfolio that the user has permissions to, just like we currently get the domains they have management rights to.
The third thing permissions will be used for is showing a human readable permission next to user names such as "org member", "domain manager" "admin" and "read-only admin". This human readable name will eventually need to appear in the both django admin (for easy analyst viewing) and in a Portfolio User Management page to our users.
The scope of this ticket: Given the above needs, set up the foundation for permissions, such that at the completion of this ticket, a developer could
Acceptance criteria
Additional context
For permissions, we could do a table for permissions or just use enums. If using enums I would associate each role with unique permissions that can build/layer on top of eachother.
For UserPortfolioRoles modifying user permissions, I would avoid using signals if possible and try to use the on save feature and overriding the built in delete function as needed.
*note for overriding delete, just do
Links to other issues
2367