feat(admin): field/add permissions for Claims models

cal-itp · Feb 6, 2025 · 19c2767 · 19c2767
1 parent 2e58870
commit 19c2767
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 11 deletions.
diff --git a/benefits/core/admin/claims.py b/benefits/core/admin/claims.py
@@ -1,23 +1,39 @@
+from django.conf import settings
 from django.contrib import admin
 
 from benefits.core import models
+from .users import is_staff_member_or_superuser
 
 
 @admin.register(models.ClaimsProvider)
-class ClaimsProviderAdmin(admin.ModelAdmin):  # pragma: no cover
+class ClaimsProviderAdmin(admin.ModelAdmin):
     def get_exclude(self, request, obj=None):
+        fields = []
+
         if not request.user.is_superuser:
-            return ["client_id_secret_name"]
-        else:
-            return super().get_exclude(request, obj)
+            fields.extend(["client_id_secret_name"])
+
+        return fields or super().get_exclude(request, obj)
 
     def get_readonly_fields(self, request, obj=None):
+        fields = []
+
         if not request.user.is_superuser:
-            return [
-                "sign_out_button_template",
-                "sign_out_link_template",
-                "authority",
-                "scheme",
-            ]
+            fields.extend(
+                [
+                    "sign_out_button_template",
+                    "sign_out_link_template",
+                    "authority",
+                    "scheme",
+                ]
+            )
+
+        return fields or super().get_readonly_fields(request, obj)
+
+    def has_add_permission(self, request):
+        if settings.RUNTIME_ENVIRONMENT() != settings.RUNTIME_ENVS.PROD:
+            return True
+        elif request.user and is_staff_member_or_superuser(request.user):
+            return True
         else:
-            return super().get_readonly_fields(request, obj)
+            return False
diff --git a/tests/pytest/core/admin/test_claims.py b/tests/pytest/core/admin/test_claims.py
@@ -0,0 +1,62 @@
+import pytest
+
+from django.conf import settings
+from django.contrib import admin
+
+from benefits.core import models
+from benefits.core.admin.claims import ClaimsProviderAdmin
+
+
+@pytest.fixture
+def admin_model():
+    return ClaimsProviderAdmin(models.ClaimsProvider, admin.site)
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "user_type,expected",
+    [("staff", ["client_id_secret_name"]), ("super", None)],
+)
+def test_get_exclude(admin_model, admin_user_request, user_type, expected):
+    request = admin_user_request(user_type)
+
+    exclude = admin_model.get_exclude(request)
+
+    if expected:
+        assert set(exclude) == set(expected)
+    else:
+        assert exclude is None
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "user_type,expected",
+    [
+        ("staff", ["sign_out_button_template", "sign_out_link_template", "authority", "scheme"]),
+        ("super", ()),
+    ],
+)
+def test_get_readonly_fields(admin_model, admin_user_request, user_type, expected):
+    request = admin_user_request(user_type)
+
+    readonly = admin_model.get_readonly_fields(request)
+
+    assert set(readonly) == set(expected)
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "runtime_env,user_type,expected",
+    [
+        (settings.RUNTIME_ENVS.PROD, "staff", True),
+        (settings.RUNTIME_ENVS.PROD, "super", True),
+        (settings.RUNTIME_ENVS.DEV, "staff", True),
+        (settings.RUNTIME_ENVS.DEV, "super", True),
+    ],
+)
+def test_has_add_permission(admin_model, admin_user_request, settings, runtime_env, user_type, expected):
+    settings.RUNTIME_ENVIRONMENT = lambda: runtime_env
+
+    request = admin_user_request(user_type)
+
+    assert admin_model.has_add_permission(request) == expected