Merge pull request #22757 from dimagi/mk-restrict-domain-admin

Mk restrict domain admin
dimagi · Dec 19, 2018 · eec018e · eec018e
2 parents 182a143 + 1518a4a
commit eec018e
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/corehq/apps/users/models.py b/corehq/apps/users/models.py
@@ -618,16 +618,15 @@ def transfer_domain_membership(self, domain, to_user, create_record=False, is_ad
         self.delete_domain_membership(domain, create_record=create_record)
 
     @memoized
-    def is_domain_admin(self, domain=None, restrict_global_admin=False):
+    def is_domain_admin(self, domain=None):
         if not domain:
             # hack for template
             if hasattr(self, 'current_domain'):
                 # this is a hack needed because we can't pass parameters from views
                 domain = self.current_domain
             else:
                 return False # no domain, no admin
-        if (not restrict_global_admin and self.is_global_admin() and
-                (domain is None or not domain_restricts_superusers(domain))):
+        if self.is_global_admin() and (domain is None or not domain_restricts_superusers(domain)):
             return True
         dm = self.get_domain_membership(domain)
         if dm:
@@ -644,15 +643,18 @@ def get_domains(self):
 
     @memoized
     def has_permission(self, domain, permission, data=None, restrict_global_admin=False):
-        # is_admin is the same as having all the permissions set
-        if (not restrict_global_admin and self.is_global_admin() and
-                (domain is None or not domain_restricts_superusers(domain))):
-            return True
-        elif self.is_domain_admin(domain, restrict_global_admin):
-            return True
+        if not restrict_global_admin:
+            # is_admin is the same as having all the permissions set
+            if self.is_global_admin() and (domain is None or not domain_restricts_superusers(domain)):
+                return True
+            elif self.is_domain_admin(domain):
+                return True
 
         dm = self.get_domain_membership(domain)
         if dm:
+            # an admin has access to all features by default, restrict that if needed
+            if dm.is_admin and restrict_global_admin:
+                return False
             return dm.has_permission(permission, data)
         else:
             return False
@@ -1673,7 +1675,7 @@ def delete(self):
     def project(self):
         return Domain.get_by_name(self.domain)
 
-    def is_domain_admin(self, domain=None, restrict_global_admin=False):
+    def is_domain_admin(self, domain=None):
         # cloudcare workaround
         return False