Coverage for benefits / core / admin / mixins.py: 100%

1from django.conf import settings 

2from django.contrib.auth.models import Group 

3 

4 

5def is_staff_member(user): 

6 """Determine if a user is a member of the staff group of Benefits. 

7 

8 The staff group of Benefits is also called the 'Cal-ITP' group (defined in settings.STAFF_GROUP_NAME) 

9 and it is not to be confused with Django's concept of 'staff' which simply means users that can log in to the admin. 

10 """ 

11 

12 staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME) 

13 return staff_group.user_set.contains(user) 

14 

15 

16def is_staff_member_or_superuser(user): 

17 """Determine if a user is a member of the staff group of Benefits or if it is a superuser.""" 

18 # an AnonymousUser can't be a staff member or superuser 

19 if not user.is_authenticated: 

20 return False 

21 return user.is_superuser or is_staff_member(user) 

22 

23 

24class ProdReadOnlyPermissionMixin: 

25 """A specific mixin for models that should be read-only in Production. 

26 

27 - Grants `view` to staff/superusers. 

28 - In Prod: Blocks `add/change/delete` for all users. 

29 - In Non-Prod: Grants `add/change/delete` to staff/superusers. 

30 """ 

31 

32 def _user_can_manage(self, request): 

33 """Central logic to check if a user has full management permissions for this model.""" 

34 if settings.RUNTIME_ENVIRONMENT() == settings.RUNTIME_ENVS.PROD: 

35 return False 

36 return request.user and is_staff_member_or_superuser(request.user) 

37 

38 def has_add_permission(self, request): 

39 return self._user_can_manage(request) 

40 

41 def has_change_permission(self, request, obj=None): 

42 return self._user_can_manage(request) 

43 

44 def has_delete_permission(self, request, obj=None): 

45 return self._user_can_manage(request) 

46 

47 def has_module_permission(self, request, obj=None): 

48 # View is always allowed for staff, even in Prod 

49 return request.user and is_staff_member_or_superuser(request.user) 

50 

51 def has_view_permission(self, request, obj=None): 

52 # View is always allowed for staff, even in Prod 

53 return request.user and is_staff_member_or_superuser(request.user) 

54 

55 

56class StaffPermissionMixin: 

57 """Grants full `add/change/delete/view` permissions to users who pass the `is_staff_member_or_superuser` check.""" 

58 

59 def _user_can_manage(self, request): 

60 """Central logic to check if a user has full management permissions for this model.""" 

61 return request.user and is_staff_member_or_superuser(request.user) 

62 

63 def has_add_permission(self, request): 

64 return self._user_can_manage(request) 

65 

66 def has_change_permission(self, request, obj=None): 

67 return self._user_can_manage(request) 

68 

69 def has_delete_permission(self, request, obj=None): 

70 return self._user_can_manage(request) 

71 

72 def has_module_permission(self, request): 

73 return self._user_can_manage(request) 

74 

75 def has_view_permission(self, request, obj=None): 

76 return self._user_can_manage(request) 

77 

78 

79class SuperuserPermissionMixin: 

80 """Grants `add/change/delete/view` permissions to superusers only.""" 

81 

82 def _user_can_manage(self, request): 

83 """Central logic to check if a user has full management permissions for this model.""" 

84 return request.user and request.user.is_superuser 

85 

86 def has_add_permission(self, request): 

87 return self._user_can_manage(request) 

88 

89 def has_change_permission(self, request, obj=None): 

90 return self._user_can_manage(request) 

91 

92 def has_delete_permission(self, request, obj=None): 

93 return self._user_can_manage(request) 

94 

95 def has_module_permission(self, request, obj=None): 

96 return self._user_can_manage(request) 

97 

98 def has_view_permission(self, request, obj=None): 

99 return self._user_can_manage(request)