search

mozilla / pontoon

Mozilla's Localization Platform
https://pontoon.mozilla.org
BSD 3-Clause "New" or "Revised" License
1.46k stars 529 forks source link

project_managers group is not created by default #3417

Open flodolo opened 2 days ago

flodolo commented 2 days ago

This feels like a bug, since the group is then used to set up point of contact in projects?

mathjazz commented 2 days ago

Should we just show all users with access to /admin in the Project Manager list and drop references to the project_managers group?

flodolo commented 2 days ago

Should we just show all users with access to /admin in the Project Manager list and drop references to the project_managers group?

I think the original intent was to have 2 separate groups: PMs can manage projects, but can't access the Django interface. Is that accurate?

We should probably check what's the current overlap between the two groups.

mathjazz commented 22 hours ago

Pardon, my question was wrong. We actually already show all users with access to /admin in the Project Manager list.

There's not that much overlap with the staff users (who can access the Django interface), so apparently it makes sense to keep these two lists separate: https://pontoon.mozilla.org/a/auth/user/?is_staff__exact=1

flodolo commented 15 hours ago

Pardon, my question was wrong. We actually already show all users with access to /admin in the Project Manager list.

Can you clarify what you mean with "show"? If you mean within the project admin UI, that doesn't match my experience on a local install: I had to manually create the group and add myself (an admin), that's why I filed the issue.

https://github.com/mozilla/pontoon/blob/c546a2133b923c84c762d867fd981f03c2f652dd/pontoon/administration/forms.py#L69-L71

mathjazz commented 13 hours ago

The can_manage_project permission is required to access the /admin page. It's assigned to members of the project_managers group, which are shown in the Project Manager list in the Project Admin page. So the same permission is controlling both, access to /admin and appearance in the Project Manager list.

Your experience on the fresh install makes sense - you had to create the group due to this bug (we should fix that with a data migration) and you were able to access /admin, because you created your user with a createsuperuser command, which means you had all permissions.