diff --git a/benefits/core/admin/claims.py b/benefits/core/admin/claims.py index 2a29eff8f..c65cd4c13 100644 --- a/benefits/core/admin/claims.py +++ b/benefits/core/admin/claims.py @@ -1,23 +1,39 @@ +from django.conf import settings from django.contrib import admin from benefits.core import models +from .users import is_staff_member_or_superuser @admin.register(models.ClaimsProvider) -class ClaimsProviderAdmin(admin.ModelAdmin): # pragma: no cover +class ClaimsProviderAdmin(admin.ModelAdmin): def get_exclude(self, request, obj=None): + fields = [] + if not request.user.is_superuser: - return ["client_id_secret_name"] - else: - return super().get_exclude(request, obj) + fields.extend(["client_id_secret_name"]) + + return fields or super().get_exclude(request, obj) def get_readonly_fields(self, request, obj=None): + fields = [] + if not request.user.is_superuser: - return [ - "sign_out_button_template", - "sign_out_link_template", - "authority", - "scheme", - ] + fields.extend( + [ + "sign_out_button_template", + "sign_out_link_template", + "authority", + "scheme", + ] + ) + + return fields or super().get_readonly_fields(request, obj) + + def has_add_permission(self, request): + if settings.RUNTIME_ENVIRONMENT() != settings.RUNTIME_ENVS.PROD: + return True + elif request.user and is_staff_member_or_superuser(request.user): + return True else: - return super().get_readonly_fields(request, obj) + return False diff --git a/tests/pytest/core/admin/test_claims.py b/tests/pytest/core/admin/test_claims.py new file mode 100644 index 000000000..c55f7ceba --- /dev/null +++ b/tests/pytest/core/admin/test_claims.py @@ -0,0 +1,62 @@ +import pytest + +from django.conf import settings +from django.contrib import admin + +from benefits.core import models +from benefits.core.admin.claims import ClaimsProviderAdmin + + +@pytest.fixture +def admin_model(): + return ClaimsProviderAdmin(models.ClaimsProvider, admin.site) + + +@pytest.mark.django_db +@pytest.mark.parametrize( + "user_type,expected", + [("staff", ["client_id_secret_name"]), ("super", None)], +) +def test_get_exclude(admin_model, admin_user_request, user_type, expected): + request = admin_user_request(user_type) + + exclude = admin_model.get_exclude(request) + + if expected: + assert set(exclude) == set(expected) + else: + assert exclude is None + + +@pytest.mark.django_db +@pytest.mark.parametrize( + "user_type,expected", + [ + ("staff", ["sign_out_button_template", "sign_out_link_template", "authority", "scheme"]), + ("super", ()), + ], +) +def test_get_readonly_fields(admin_model, admin_user_request, user_type, expected): + request = admin_user_request(user_type) + + readonly = admin_model.get_readonly_fields(request) + + assert set(readonly) == set(expected) + + +@pytest.mark.django_db +@pytest.mark.parametrize( + "runtime_env,user_type,expected", + [ + (settings.RUNTIME_ENVS.PROD, "staff", True), + (settings.RUNTIME_ENVS.PROD, "super", True), + (settings.RUNTIME_ENVS.DEV, "staff", True), + (settings.RUNTIME_ENVS.DEV, "super", True), + ], +) +def test_has_add_permission(admin_model, admin_user_request, settings, runtime_env, user_type, expected): + settings.RUNTIME_ENVIRONMENT = lambda: runtime_env + + request = admin_user_request(user_type) + + assert admin_model.has_add_permission(request) == expected