[DRAFT] #3103: Prevent errors in django admin Member Management

[zandercymatics]

Ticket

Resolves #3103

Changes

• (while the multiple portfolios flag is off) if a user already has a portfolio invitation or Userportfolio permission, then the user cannot have a second record of either type for a different portfolio.
• when creating portfolio invitations or User PortfolioPermissions, non admins can not be given view all members or view all domains permission
• add VIEW_MEMBERS permissions to the Admins "portfolio_role_permissions"
• removed EDIT_REQUESTS from the admins "portfolio_role_permissions"
• Fixes some pre-existing circular imports between: User, UserPortfolioPermission, and PortfolioInvitation

Context for reviewers

This PR adds some additional validation on PortfolioInvitation and UserPortfolioPermission records and modifies the permission structure slightly (see changes). In particular, there is a requirement to block creation of a new PortfolioInvitation or a new UserPortfolioPermission record if one already exists.

It was discovered during implementation that there are some existing circular import issues between those two models (and user). Since each of those records need to cross-reference eachother, it causes a similar issue. As a result, I've addressed some of the original import issues in this PR. Due to that, the logic for doing .clean() is in portfolio_helper.py with app imports to minimize this causing future conflicts.

Setup

All testing can be done in django admin on these three tables: PortfolioInvitation, UserPortfolioPermission, and WaffleFlags.
You will need to test these cases:

1. Verify that you cannot create a new PortfolioInvitation or UserPortfolioPermission when either of those already exist for the same user when the waffle flag multiple_portfolios is disabled.
2. Verify that you cannot add the roles VIEW_MEMBERS, EDIT_MEMBER, or VIEW_ALL_DOMAINS on both PortfolioInivtation and UserPortfolioPermission when the role MEMBER is selected
   • This only applies if the only role selected is member. This is intentional. If both admin and member are selected, the system sees the user as an admin
3. Verify that admins now have the VIEW_MEMBERS role by default, and no longer have EDIT_REQUESTS

Code Review Verification Steps

As the original developer, I have

Satisfied acceptance criteria and met development standards

• Met the acceptance criteria, or will meet them in a subsequent PR
• Created/modified automated tests
• Update documentation in READMEs and/or onboarding guide

Ensured code standards are met (Original Developer)

• If any updated dependencies on Pipfile, also update dependencies in requirements.txt.
• Interactions with external systems are wrapped in try/except
• Error handling exists for unusual or missing values

Validated user-facing changes (if applicable)

• Tag @dotgov-designers in this PR's Reviewers for design review. If code is not user-facing, delete design reviewer checklist
• Verify new pages have been added to .pa11yci file so that they will be tested with our automated accessibility testing
• Checked keyboard navigability
• Tested general usability, landmarks, page header structure, and links with a screen reader (such as Voiceover or ANDI)

As a code reviewer, I have

Reviewed, tested, and left feedback about the changes

• Pulled this branch locally and tested it
• Verified code meets all checks above. Address any checks that are not satisfied
• Reviewed this code and left comments. Indicate if comments must be addressed before code is merged
• Checked that all code is adequately covered by tests
• Verify migrations are valid and do not conflict with existing migrations

Validated user-facing changes as a developer

Note: Multiple code reviewers can share the checklists above, a second reviewer should not make a duplicate checklist. All checks should be checked before approving, even those labeled N/A.

• New pages have been added to .pa11yci file so that they will be tested with our automated accessibility testing
• Checked keyboard navigability
• Meets all designs and user flows provided by design/product
• Tested general usability, landmarks, page header structure, and links with a screen reader (such as Voiceover or ANDI)
• (Rarely needed) Tested as both an analyst and applicant user

As a designer reviewer, I have

Verified that the changes match the design intention

• Checked that the design translated visually
• Checked behavior. Comment any found issues or broken flows.
• Checked different states (empty, one, some, error)
• Checked for landmarks, page heading structure, and links

Validated user-facing changes as a designer

• Checked keyboard navigability
• Tested general usability, landmarks, page header structure, and links with a screen reader (such as Voiceover or ANDI)
• Tested with multiple browsers (check off which ones were used)
  • Chrome
  • Microsoft Edge
  • FireFox
  • Safari
• (Rarely needed) Tested as both an analyst and applicant user

References

• Code review best practices

Screenshots

[github-actions]

🥳 Successfully deployed to developer sandbox za.

[github-actions]

🥳 Successfully deployed to developer sandbox za.