tethysplatform · sdc50 · Oct 30, 2024 · Oct 28, 2024 · Oct 28, 2024 · Oct 28, 2024
diff --git a/tests/unit_tests/test_tethys_apps/test_utilities.py b/tests/unit_tests/test_tethys_apps/test_utilities.py
@@ -858,16 +858,36 @@ def test_user_can_access_app(self, mock_settings):
         result1 = utilities.user_can_access_app(user, app)
         self.assertFalse(result1)
 
+        # test restricted access with restricted apps list
+        mock_settings.ENABLE_RESTRICTED_APP_ACCESS = [app.package]
+        result2 = utilities.user_can_access_app(user, app)
+        self.assertFalse(result2)
+
+        # test restricted access with no restricted apps list
+        mock_settings.ENABLE_RESTRICTED_APP_ACCESS = []
+        result3 = utilities.user_can_access_app(user, app)
+        self.assertTrue(result3)
+
+        # test restricted access with restricted apps list of a different app
+        mock_settings.ENABLE_RESTRICTED_APP_ACCESS = ["some_other_app"]
+        result4 = utilities.user_can_access_app(user, app)
+        self.assertTrue(result4)
+
         # test with permission
         assign_perm(f"{app.package}:access_app", user, app)
 
-        result2 = utilities.user_can_access_app(user, app)
-        self.assertTrue(result2)
+        result5 = utilities.user_can_access_app(user, app)
+        self.assertTrue(result5)
 
         # test open portal mode case
         mock_settings.ENABLE_OPEN_PORTAL = True
-        result3 = utilities.user_can_access_app(user, app)
-        self.assertTrue(result3)
+        result6 = utilities.user_can_access_app(user, app)
+        self.assertTrue(result6)
+
+        # test restricted access with restricted apps list
+        mock_settings.ENABLE_RESTRICTED_APP_ACCESS = [app.package]
+        result7 = utilities.user_can_access_app(user, app)
+        self.assertTrue(result7)
 
     def test_get_installed_tethys_items_apps(self):
         # Get list of apps installed in the tethysapp directory

diff --git a/tethys_apps/utilities.py b/tethys_apps/utilities.py
@@ -586,10 +586,17 @@ def get_service_model_from_type(service_type):
 def user_can_access_app(user, app):
     from django.conf import settings
 
+    RESTRICTED_APP_ACCESS = getattr(settings, "ENABLE_RESTRICTED_APP_ACCESS", False)
+
     if getattr(settings, "ENABLE_OPEN_PORTAL", False):
         return True
-    elif getattr(settings, "ENABLE_RESTRICTED_APP_ACCESS", False):
-        return user.has_perm(f"{app.package}:access_app", app)
+    elif RESTRICTED_APP_ACCESS:
+        if isinstance(RESTRICTED_APP_ACCESS, bool):
+            return user.has_perm(f"{app.package}:access_app", app)
+        elif app.package in RESTRICTED_APP_ACCESS:
+            return user.has_perm(f"{app.package}:access_app", app)
+        else:
+            return True
     else:
         return True
 

diff --git a/tethys_portal/settings.py b/tethys_portal/settings.py
@@ -82,7 +82,8 @@
 # Set to True to allow Open Portal mode. This mode supersedes any specific user/group app access permissions
 ENABLE_OPEN_PORTAL = TETHYS_PORTAL_CONFIG.pop("ENABLE_OPEN_PORTAL", False)
 
-# Set to True to allow Open Portal mode. This mode supersedes any specific user/group app access permissions
+# Set to True to allow restricted app access. This mode removes access to apps for nonadmins unless given explicit permission.
+# A list can also be provided to restrict specific applications unless users are given explicit permission
 ENABLE_RESTRICTED_APP_ACCESS = TETHYS_PORTAL_CONFIG.pop(
     "ENABLE_RESTRICTED_APP_ACCESS", False
 )