diff --git a/benefits/core/admin.py b/benefits/core/admin.py index ed707c8f7..2f5d2d28e 100644 --- a/benefits/core/admin.py +++ b/benefits/core/admin.py @@ -29,6 +29,17 @@ def get_exclude(self, request, obj=None): else: return super().get_exclude(request, obj) + def get_readonly_fields(self, request, obj=None): + if not request.user.is_superuser: + return [ + "sign_out_button_template", + "sign_out_link_template", + "authority", + "scheme", + ] + else: + return super().get_readonly_fields(request, obj) + @admin.register(models.EligibilityType) class EligibilityTypeAdmin(admin.ModelAdmin): # pragma: no cover @@ -38,6 +49,16 @@ def get_exclude(self, request, obj=None): else: return super().get_exclude(request, obj) + def get_readonly_fields(self, request, obj=None): + if not request.user.is_superuser: + return [ + "enrollment_index_template", + "reenrollment_error_template", + "enrollment_success_template", + ] + else: + return super().get_readonly_fields(request, obj) + @admin.register(models.EligibilityVerifier) class SortableEligibilityVerifierAdmin(SortableAdminMixin, admin.ModelAdmin): # pragma: no cover @@ -55,6 +76,19 @@ def get_exclude(self, request, obj=None): else: return super().get_exclude(request, obj) + def get_readonly_fields(self, request, obj=None): + if not request.user.is_superuser: + return [ + "api_url", + "auth_provider", + "selection_label_template", + "start_template", + "unverified_template", + "help_template", + ] + else: + return super().get_readonly_fields(request, obj) + @admin.register(models.PaymentProcessor) class PaymentProcessorAdmin(admin.ModelAdmin): # pragma: no cover @@ -68,6 +102,16 @@ def get_exclude(self, request, obj=None): else: return super().get_exclude(request, obj) + def get_readonly_fields(self, request, obj=None): + if not request.user.is_superuser: + return [ + "card_tokenize_url", + "card_tokenize_func", + "card_tokenize_env", + ] + else: + return super().get_readonly_fields(request, obj) + @admin.register(models.TransitAgency) class TransitAgencyAdmin(admin.ModelAdmin): # pragma: no cover @@ -81,6 +125,17 @@ def get_exclude(self, request, obj=None): else: return super().get_exclude(request, obj) + def get_readonly_fields(self, request, obj=None): + if not request.user.is_superuser: + return [ + "agency_id", + "payment_processor", + "index_template", + "eligibility_index_template", + ] + else: + return super().get_readonly_fields(request, obj) + def pre_login_user(user, request): logger.debug(f"Running pre-login callback for user: {user.username}") diff --git a/benefits/core/migrations/0015_staff_group_edit_permissions.py b/benefits/core/migrations/0015_staff_group_edit_permissions.py new file mode 100644 index 000000000..86bcab393 --- /dev/null +++ b/benefits/core/migrations/0015_staff_group_edit_permissions.py @@ -0,0 +1,30 @@ +# Generated by Django 5.0.6 on 2024-07-16 23:08 + +from django.db import migrations + + +def add_edit_permissions(apps, schema_editor): + Group = apps.get_model("auth", "Group") + staff_group = Group.objects.get(name="Cal-ITP") + + Permission = apps.get_model("auth", "Permission") + permission_names = [ + "Can change auth provider", + "Can change eligibility type", + "Can change eligibility verifier", + "Can change payment processor", + "Can change transit agency", + ] + + for name in permission_names: + edit_permission = Permission.objects.get(name=name) + staff_group.permissions.add(edit_permission) + + +class Migration(migrations.Migration): + + dependencies = [ + ("core", "0014_staff_group_view_permissions"), + ] + + operations = [migrations.RunPython(add_edit_permissions)]