improve permissions setup to avoid triggering indexation

samonaisi · samonaisi · commit b0af65681abc · 2024-12-06T14:57:08.000+01:00
diff --git a/apps/accounts/models.py b/apps/accounts/models.py
@@ -215,18 +215,18 @@ def setup_permissions(
         self, user: Optional["ProjectUser"] = None, trigger_indexation: bool = True
     ):
         """Setup the group with default permissions."""
-        managers = self.setup_group_permissions(
+        managers = self.setup_group_object_permissions(
             self.get_managers(), self.get_default_managers_permissions()
         )
-        members = self.setup_group_permissions(
+        members = self.setup_group_object_permissions(
             self.get_members(), self.get_default_members_permissions()
         )
-        leaders = self.setup_group_permissions(
+        leaders = self.setup_group_object_permissions(
             self.get_leaders(), self.get_default_leaders_permissions()
         )
         if user:
             managers.users.add(user)
-        self.groups.add(managers, members, leaders)
+        self.groups.set([managers, members, leaders])
         if trigger_indexation:
             self.permissions_up_to_date = True
             self.save(update_fields=["permissions_up_to_date"])
diff --git a/apps/commons/models.py b/apps/commons/models.py
@@ -86,7 +86,7 @@ class PermissionsSetupModel(models.Model):
 
     permissions_up_to_date = models.BooleanField(default=False)
 
-    def setup_group_permissions(
+    def setup_group_object_permissions(
         self, group: Group, permissions: QuerySet[str]
     ) -> Group:
         current_role_permissions = Permission.objects.filter(
@@ -100,6 +100,18 @@ def setup_group_permissions(
             remove_perm(permission, group, self)
         return group
 
+    def setup_group_global_permissions(
+        self, group: Group, permissions: QuerySet[str]
+    ) -> Group:
+        current_role_permissions = group.permissions.all()
+        permissions_to_remove = current_role_permissions.difference(permissions)
+        permissions_to_add = permissions.difference(current_role_permissions)
+        for permission in permissions_to_add:
+            assign_perm(permission, group)
+        for permission in permissions_to_remove:
+            remove_perm(permission, group)
+        return group
+
     def setup_permissions(
         self, user: Optional["ProjectUser"] = None, trigger_indexation: bool = True
     ):
diff --git a/apps/deploys/tasks.py b/apps/deploys/tasks.py
@@ -1,5 +1,5 @@
 from django.core.management import call_command
-from guardian.shortcuts import assign_perm
+from guardian.shortcuts import assign_perm, remove_perm
 
 from apps.accounts.utils import (
     get_default_group,
@@ -31,15 +31,36 @@ def base_groups_permissions():
     - Default group
     - Superadmins group
     """
+
+    # Default group
     default_group = get_default_group()
-    default_group.permissions.clear()
-    for permission in get_default_group_permissions():
+    default_group_permissions = get_default_group_permissions()
+    current_default_group_permissions = default_group.permissions.all()
+    default_group_permissions_to_remove = current_default_group_permissions.difference(
+        default_group_permissions
+    )
+    default_group_permissions_to_add = default_group_permissions.difference(
+        current_default_group_permissions
+    )
+    for permission in default_group_permissions_to_add:
         assign_perm(permission, default_group)
+    for permission in default_group_permissions_to_remove:
+        remove_perm(permission, default_group)
 
+    # Superadmins group
     superadmins_group = get_superadmins_group()
-    superadmins_group.permissions.clear()
-    for permission in get_superadmins_group_permissions():
+    superadmins_group_permissions = get_superadmins_group_permissions()
+    current_superadmins_group_permissions = superadmins_group.permissions.all()
+    superadmins_group_permissions_to_remove = (
+        current_superadmins_group_permissions.difference(superadmins_group_permissions)
+    )
+    superadmins_group_permissions_to_add = superadmins_group_permissions.difference(
+        current_superadmins_group_permissions
+    )
+    for permission in superadmins_group_permissions_to_add:
         assign_perm(permission, superadmins_group)
+    for permission in superadmins_group_permissions_to_remove:
+        remove_perm(permission, superadmins_group)
 
 
 @app.task
diff --git a/apps/organizations/models.py b/apps/organizations/models.py
@@ -7,7 +7,6 @@
 from django.db import models
 from django.db.models import QuerySet
 from django.http import Http404
-from guardian.shortcuts import assign_perm
 from simple_history.models import HistoricalRecords
 
 from apps.commons.models import Language, OrganizationRelated, PermissionsSetupModel
@@ -243,6 +242,18 @@ def get_related_organizations(self) -> List["Organization"]:
     def get_default_admins_permissions(self) -> QuerySet[Permission]:
         return Permission.objects.filter(content_type=self.content_type)
 
+    def get_global_admins_permissions(self) -> QuerySet[Permission]:
+        return Permission.objects.filter(
+            codename__in=[
+                "get_user_by_email",
+                # TODO: remove that when we have a better way to handle permissions
+                "add_projectuser",
+                "change_projectuser",
+                "delete_projectuser",
+            ],
+            content_type__app_label="accounts",
+        )
+
     def get_default_facilitators_permissions(self) -> QuerySet[Permission]:
         excluded_permissions = [
             "manage_accessrequest",
@@ -279,24 +290,22 @@ def setup_permissions(
         self, user: Optional["ProjectUser"] = None, trigger_indexation: bool = True
     ):
         """Setup the group with default permissions."""
-        admins = self.setup_group_permissions(
+        admins = self.setup_group_object_permissions(
             self.get_admins(), self.get_default_admins_permissions()
         )
-        assign_perm("accounts.get_user_by_email", admins)
-        # TODO: remove that when we have a better way to handle permissions
-        assign_perm("accounts.add_projectuser", admins)
-        assign_perm("accounts.change_projectuser", admins)
-        assign_perm("accounts.delete_projectuser", admins)
-        facilitators = self.setup_group_permissions(
+        admins = self.setup_group_global_permissions(
+            admins, self.get_global_admins_permissions()
+        )
+        facilitators = self.setup_group_object_permissions(
             self.get_facilitators(), self.get_default_facilitators_permissions()
         )
-        users = self.setup_group_permissions(
+        users = self.setup_group_object_permissions(
             self.get_users(), self.get_default_users_permissions()
         )
 
         if user:
             admins.users.add(user)
-        self.groups.add(admins, facilitators, users)
+        self.groups.set([admins, facilitators, users])
         if trigger_indexation:
             self.permissions_up_to_date = True
             self.save(update_fields=["permissions_up_to_date"])
diff --git a/apps/projects/models.py b/apps/projects/models.py
@@ -411,22 +411,22 @@ def setup_permissions(
         self, user: Optional["ProjectUser"] = None, trigger_indexation: bool = True
     ):
         """Setup the group with default permissions."""
-        reviewers = self.setup_group_permissions(
+        reviewers = self.setup_group_object_permissions(
             self.get_reviewers(), self.get_default_reviewers_permissions()
         )
-        owners = self.setup_group_permissions(
+        owners = self.setup_group_object_permissions(
             self.get_owners(), self.get_default_owners_permissions()
         )
-        members = self.setup_group_permissions(
+        members = self.setup_group_object_permissions(
             self.get_members(), self.get_default_members_permissions()
         )
-        people_groups = self.setup_group_permissions(
+        people_groups = self.setup_group_object_permissions(
             self.get_people_groups(), self.get_default_members_permissions()
         )
 
         if user:
             owners.users.add(user)
-        self.groups.add(owners, reviewers, members, people_groups)
+        self.groups.set([owners, reviewers, members, people_groups])
         if trigger_indexation:
             self.permissions_up_to_date = True
             self.save(update_fields=["permissions_up_to_date"])
