Update permissions of roles

- grant permission to publish events to editor
- revoke permission to view feedback and imprint for editor and events manager roles

integreat_cms/cms/migrations/0002_roles.py

@@ -233,7 +233,7 @@ def add_roles(apps, schema_editor):
     """
     Add the default roles for users
 
-    :param apps:
+    :param apps: The configuration of installed applications
     :type apps: ~django.apps.registry.Apps
 
     :param schema_editor: The database abstraction layer that creates actual SQL code
@@ -266,7 +266,7 @@ def remove_roles(apps, schema_editor):
     """
     Remove the default roles for users
 
-    :param apps: The
+    :param apps: The configuration of installed applications
     :type apps: ~django.apps.registry.Apps
 
     :param schema_editor: The database abstraction layer that creates actual SQL code

integreat_cms/cms/migrations/0005_grant_imprint_deletion_permission.py

@@ -7,7 +7,7 @@ def add_roles(apps, schema_editor):
     """
     Add the default roles for users
 
-    :param apps:
+    :param apps: The configuration of installed applications
     :type apps: ~django.apps.registry.Apps
 
     :param schema_editor: The database abstraction layer that creates actual SQL code
@@ -28,7 +28,7 @@ def remove_roles(apps, schema_editor):
     """
     Remove the default roles for users
 
-    :param apps: The
+    :param apps: The configuration of installed applications
     :type apps: ~django.apps.registry.Apps
 
     :param schema_editor: The database abstraction layer that creates actual SQL code

integreat_cms/cms/migrations/0007_change_role_permissions.py

@@ -0,0 +1,98 @@
+# Generated by Django 3.2.12 on 2022-02-21 13:05
+from django.db import migrations
+
+
+ROLES = [
+    {
+        "name": "EDITOR",
+        "add_permissions": [
+            "publish_event",
+        ],
+        "remove_permissions": [
+            "change_feedback",
+            "change_imprintpage",
+            "view_feedback",
+            "view_imprintpage",
+        ],
+    },
+    {
+        "name": "EVENT_MANAGER",
+        "add_permissions": [],
+        "remove_permissions": [
+            "change_feedback",
+            "view_feedback",
+            "view_imprintpage",
+        ],
+    },
+]
+
+# pylint: disable=unused-argument
+def update_roles(apps, schema_editor):
+    """
+    Update the permissions of roles
+
+    :param apps: The configuration of installed applications
+    :type apps: ~django.apps.registry.Apps
+
+    :param schema_editor: The database abstraction layer that creates actual SQL code
+    :type schema_editor: ~django.db.backends.base.schema.BaseDatabaseSchemaEditor
+    """
+    # We can't import the Person model directly as it may be a newer
+    # version than this migration expects. We use the historical version.
+    Group = apps.get_model("auth", "Group")
+    Permission = apps.get_model("auth", "Permission")
+
+    for role_conf in ROLES:
+        group = Group.objects.get(name=role_conf.get("name"))
+        add_permissions = Permission.objects.filter(
+            codename__in=role_conf.get("add_permissions")
+        )
+        group.permissions.add(*add_permissions)
+        remove_permissions = Permission.objects.filter(
+            codename__in=role_conf.get("remove_permissions")
+        )
+        group.permissions.remove(*remove_permissions)
+
+
+# pylint: disable=unused-argument
+def revert_roles(apps, schema_editor):
+    """
+    Revert the permission changes of this migration
+
+    :param apps: The configuration of installed applications
+    :type apps: ~django.apps.registry.Apps
+
+    :param schema_editor: The database abstraction layer that creates actual SQL code
+    :type schema_editor: ~django.db.backends.base.schema.BaseDatabaseSchemaEditor
+    """
+    # We can't import the Person model directly as it may be a newer
+    # version than this migration expects. We use the historical version.
+    Group = apps.get_model("auth", "Group")
+    Permission = apps.get_model("auth", "Permission")
+
+    for role_conf in ROLES:
+        group = Group.objects.get(name=role_conf.get("name"))
+        # The permissions that were added with this migration need to be removed
+        add_permissions = Permission.objects.filter(
+            codename__in=role_conf.get("add_permissions")
+        )
+        group.permissions.remove(*add_permissions)
+        # The migrations that were removed with this migration need to be added again
+        remove_permissions = Permission.objects.filter(
+            codename__in=role_conf.get("remove_permissions")
+        )
+        group.permissions.add(*remove_permissions)
+
+
+class Migration(migrations.Migration):
+    """
+    Migration file to update permissions of roles
+    """
+
+    dependencies = [
+        ("cms", "0006_region_custom_prefix"),
+    ]
+
+    operations = [
+        migrations.RunPython(update_roles, revert_roles),
+    ]

tests/cms/views/view_config.py

@@ -68,7 +68,7 @@
                 PRIV_STAFF_ROLES + [MANAGEMENT],
                 {"username": "new_username", "email": "new@email.address", "role": 1},
             ),
-            ("region_feedback", ROLES),
+            ("region_feedback", STAFF_ROLES + [MANAGEMENT]),
             ("region_users", STAFF_ROLES + [MANAGEMENT]),
             ("translation_coverage", ROLES),
             ("user_settings", ROLES),
@@ -320,10 +320,10 @@
             ("sitemap:region_language", ALL_ROLES),
             ("archived_pages", STAFF_ROLES + [MANAGEMENT, EDITOR]),
             ("archived_pois", ROLES),
-            ("edit_imprint", ROLES),
+            ("edit_imprint", STAFF_ROLES + [MANAGEMENT]),
             (
                 "edit_imprint",
-                PRIV_STAFF_ROLES + [MANAGEMENT, EDITOR],
+                PRIV_STAFF_ROLES + [MANAGEMENT],
                 {"title": "imprint", "submit_draft": True},
             ),
             ("events", ROLES),