Add in missing read permissions for organization audit role (#15318)

* Add in missing read permissions for organization audit role

* Add missing audit permission, special case name handling
This commit is contained in:
Alan Rominger
2024-07-02 15:20:40 -04:00
committed by GitHub
parent 6763badea3
commit c4688d6298
4 changed files with 36 additions and 3 deletions

View File

@@ -277,6 +277,7 @@ def setup_managed_role_definitions(apps, schema_editor):
to_create = {
'object_admin': '{cls.__name__} Admin',
'org_admin': 'Organization Admin',
'org_audit': 'Organization Audit',
'org_children': 'Organization {cls.__name__} Admin',
'special': '{cls.__name__} {action}',
}
@@ -327,7 +328,8 @@ def setup_managed_role_definitions(apps, schema_editor):
if 'special' in to_create:
special_perms = []
for perm in object_perms:
if perm.codename.split('_')[0] not in ('add', 'change', 'delete', 'view'):
# Organization auditor is handled separately
if perm.codename.split('_')[0] not in ('add', 'change', 'delete', 'view', 'audit'):
special_perms.append(perm)
for perm in special_perms:
action = perm.codename.split('_')[0]
@@ -353,6 +355,19 @@ def setup_managed_role_definitions(apps, schema_editor):
)
)
if 'org_audit' in to_create:
audit_permissions = [perm for perm in org_perms if perm.codename.startswith('view_')]
audit_permissions.append(Permission.objects.get(codename='audit_organization'))
managed_role_definitions.append(
get_or_create_managed(
to_create['org_audit'].format(cls=Organization),
'Has permission to view all objects inside of a single organization',
org_ct,
audit_permissions,
RoleDefinition,
)
)
unexpected_role_definitions = RoleDefinition.objects.filter(managed=True).exclude(pk__in=[rd.pk for rd in managed_role_definitions])
for role_definition in unexpected_role_definitions:
logger.info(f'Deleting old managed role definition {role_definition.name}, pk={role_definition.pk}')