feat(users): add read-only role and filter read-only users from user list

backend/data_tools/data/user_data.json5

@@ -393,6 +393,26 @@
         "POST_UPLOAD_DOCUMENT"
       ]
     },
+    { // 8 Read-Only
+      name: "READ_ONLY",
+      permissions: [
+        "GET_AGREEMENT",
+        "GET_BUDGET_LINE_ITEM",
+        "GET_SERVICES_COMPONENT",
+        "GET_BLI_PACKAGE",
+        "GET_CAN",
+        "GET_DIVISION",
+        "GET_NOTIFICATION",
+        "GET_PORTFOLIO",
+        "GET_RESEARCH_PROJECT",
+        "GET_USER",
+        "GET_HISTORY",
+        "GET_WORKFLOW",
+        "GET_CHANGE_REQUEST",
+        "GET_CHANGE_REQUEST_REVIEW",
+        "GET_UPLOAD_DOCUMENT"
+      ]
+    },
   ],
   ops_user: [
     { // 500
@@ -665,6 +685,15 @@
       oidc_id: "00000000-0000-1111-a111-000000000028",
       roles: [{"tablename":  "role", "id": 7}],
       status: "ACTIVE"
+    },
+    { // 529
+      first_name: "Read-Only",
+      last_name: "Randall",
+      division: 3,
+      email: "readonly.randall@email.com",
+      oidc_id: "00000000-0000-1111-a111-000000000029",
+      roles: [{"tablename":  "role", "id": 8}],
+      status: "ACTIVE"
     }
   ],
   notification: [

backend/data_tools/initial_data/003-role.sql

@@ -4,3 +4,4 @@ INSERT INTO ops.role (id, name, permissions, created_on, updated_on) VALUES (3,
 INSERT INTO ops.role (id, name, permissions, created_on, updated_on) VALUES (4, 'USER_ADMIN', '{POST_USER}', current_timestamp, current_timestamp);
 INSERT INTO ops.role (id, name, permissions, created_on, updated_on) VALUES (5, 'BUDGET_TEAM', '{GET_AGREEMENT,PUT_AGREEMENT,PATCH_AGREEMENT,POST_AGREEMENT,GET_BUDGET_LINE_ITEM,PUT_BUDGET_LINE_ITEM,PATCH_BUDGET_LINE_ITEM,POST_BUDGET_LINE_ITEM,GET_SERVICES_COMPONENT,PUT_SERVICES_COMPONENT,PATCH_SERVICES_COMPONENT,POST_SERVICES_COMPONENT,DELETE_SERVICES_COMPONENT,GET_BLI_PACKAGE,PUT_BLI_PACKAGE,PATCH_BLI_PACKAGE,POST_BLI_PACKAGE,GET_CAN,PUT_CAN,PATCH_CAN,POST_CAN,DELETE_CAN,GET_DIVISION,GET_NOTIFICATION,PUT_NOTIFICATION,PATCH_NOTIFICATION,GET_PORTFOLIO,PUT_PORTFOLIO,PATCH_PORTFOLIO,POST_PORTFOLIO,GET_RESEARCH_PROJECT,POST_RESEARCH_PROJECT,PUT_RESEARCH_PROJECT,PATCH_RESEARCH_PROJECT,POST_RESEARCH_PROJECT,GET_USER,PUT_USER,PATCH_USER,GET_HISTORY,GET_CHANGE_REQUEST,PUT_CHANGE_REQUEST,PATCH_CHANGE_REQUEST,POST_CHANGE_REQUEST,GET_CHANGE_REQUEST_REVIEW,PUT_CHANGE_REQUEST_REVIEW,PATCH_CHANGE_REQUEST_REVIEW,POST_CHANGE_REQUEST_REVIEW,GET_UPLOAD_DOCUMENT,POST_UPLOAD_DOCUMENT}', current_timestamp, current_timestamp);
 INSERT INTO ops.role (id, name, permissions, created_on, updated_on) VALUES (6, 'PROCUREMENT_TEAM', '{GET_AGREEMENT, GET_BUDGET_LINE_ITEM, GET_SERVICES_COMPONENT, GET_BLI_PACKAGE, GET_CAN, GET_DIVISION, GET_NOTIFICATION, PUT_NOTIFICATION, PATCH_NOTIFICATION, GET_PORTFOLIO, GET_RESEARCH_PROJECT, GET_USER, PUT_USER, PATCH_USER, GET_HISTORY, GET_WORKFLOW, GET_CHANGE_REQUEST, GET_CHANGE_REQUEST_REVIEW, GET_UPLOAD_DOCUMENT, POST_UPLOAD_DOCUMENT, PATCH_UPLOAD_DOCUMENT}', current_timestamp, current_timestamp);
+INSERT INTO ops.role (id, name, permissions, created_on, updated_on) VALUES (7, 'READ_ONLY', '{GET_AGREEMENT, GET_BUDGET_LINE_ITEM, GET_SERVICES_COMPONENT, GET_BLI_PACKAGE, GET_CAN, GET_DIVISION, GET_NOTIFICATION, GET_PORTFOLIO, GET_RESEARCH_PROJECT, GET_USER, GET_HISTORY, GET_WORKFLOW, GET_CHANGE_REQUEST, GET_CHANGE_REQUEST_REVIEW, GET_UPLOAD_DOCUMENT}', current_timestamp, current_timestamp);

backend/data_tools/initial_data/004-role_version.sql

@@ -4,3 +4,4 @@ INSERT INTO ops.role_version (id, name, permissions, created_on, updated_on, tra
 INSERT INTO ops.role_version (id, name, permissions, created_on, updated_on, transaction_id, end_transaction_id, operation_type) VALUES (4, 'USER_ADMIN', '{POST_USER}', current_timestamp, current_timestamp, 1, null, 0);
 INSERT INTO ops.role_version (id, name, permissions, created_on, updated_on, transaction_id, end_transaction_id, operation_type) VALUES (5, 'BUDGET_TEAM', '{GET_AGREEMENT,PUT_AGREEMENT,PATCH_AGREEMENT,POST_AGREEMENT,GET_BUDGET_LINE_ITEM,PUT_BUDGET_LINE_ITEM,PATCH_BUDGET_LINE_ITEM,POST_BUDGET_LINE_ITEM,GET_SERVICES_COMPONENT,PUT_SERVICES_COMPONENT,PATCH_SERVICES_COMPONENT,POST_SERVICES_COMPONENT,DELETE_SERVICES_COMPONENT,GET_BLI_PACKAGE,PUT_BLI_PACKAGE,PATCH_BLI_PACKAGE,POST_BLI_PACKAGE,GET_CAN,PUT_CAN,PATCH_CAN,POST_CAN,DELETE_CAN,GET_DIVISION,GET_NOTIFICATION,PUT_NOTIFICATION,PATCH_NOTIFICATION,GET_PORTFOLIO,PUT_PORTFOLIO,PATCH_PORTFOLIO,POST_PORTFOLIO,GET_RESEARCH_PROJECT,POST_RESEARCH_PROJECT,PUT_RESEARCH_PROJECT,PATCH_RESEARCH_PROJECT,POST_RESEARCH_PROJECT,GET_USER,PUT_USER,PATCH_USER,GET_HISTORY,GET_CHANGE_REQUEST,PUT_CHANGE_REQUEST,PATCH_CHANGE_REQUEST,POST_CHANGE_REQUEST,GET_CHANGE_REQUEST_REVIEW,PUT_CHANGE_REQUEST_REVIEW,PATCH_CHANGE_REQUEST_REVIEW,POST_CHANGE_REQUEST_REVIEW,GET_UPLOAD_DOCUMENT,POST_UPLOAD_DOCUMENT}', current_timestamp, current_timestamp, 1, null, 0);
 INSERT INTO ops.role_version (id, name, permissions, created_on, updated_on, transaction_id, end_transaction_id, operation_type) VALUES (6, 'PROCUREMENT_TEAM', '{GET_AGREEMENT, GET_BUDGET_LINE_ITEM, GET_SERVICES_COMPONENT, GET_BLI_PACKAGE, GET_CAN, GET_DIVISION, GET_NOTIFICATION, PUT_NOTIFICATION, PATCH_NOTIFICATION, GET_PORTFOLIO, GET_RESEARCH_PROJECT, GET_USER, PUT_USER, PATCH_USER, GET_HISTORY, GET_WORKFLOW, GET_CHANGE_REQUEST, GET_CHANGE_REQUEST_REVIEW, GET_UPLOAD_DOCUMENT, POST_UPLOAD_DOCUMENT, PATCH_UPLOAD_DOCUMENT}', current_timestamp, current_timestamp, 1, null, 0);
+INSERT INTO ops.role_version (id, name, permissions, created_on, updated_on, transaction_id, end_transaction_id, operation_type) VALUES (7, 'READ_ONLY', '{GET_AGREEMENT, GET_BUDGET_LINE_ITEM, GET_SERVICES_COMPONENT, GET_BLI_PACKAGE, GET_CAN, GET_DIVISION, GET_NOTIFICATION, GET_PORTFOLIO, GET_RESEARCH_PROJECT, GET_USER, GET_HISTORY, GET_WORKFLOW, GET_CHANGE_REQUEST, GET_CHANGE_REQUEST_REVIEW, GET_UPLOAD_DOCUMENT}', current_timestamp, current_timestamp, 1, null, 0);

backend/ops_api/ops/services/users.py

@@ -76,6 +76,9 @@ def get_users(session: Session, **kwargs) -> list[User]:
     :param **kwargs: The criteria to filter the users by.
     :return: The users that match the criteria.
 
+    Business Rules:
+    - Users with READ_ONLY role are excluded from the response
+
     """
     stmt = select(User)
 
@@ -89,7 +92,10 @@ def get_users(session: Session, **kwargs) -> list[User]:
 
     users = session.execute(stmt).scalars().all()
 
-    return list(users)
+    # Filter out users with READ_ONLY role
+    filtered_users = [user for user in users if not any(role.name == "READ_ONLY" for role in user.roles)]
+
+    return filtered_users
 
 
 def create_user(session: Session, **kwargs) -> User:

backend/ops_api/tests/ops/users/test_users_get.py

@@ -167,6 +167,12 @@ def test_get_all_users(auth_client, loaded_db, app_ctx):
     assert response.json[0]["roles"] == get_expected_roles(expected_user)
     assert response.json[0]["is_superuser"] is False
 
+    # Verify READ_ONLY users are filtered out
+    user_ids = [user["id"] for user in response.json]
+    read_only_user = loaded_db.get(User, 529)  # Read-Only Randall
+    assert read_only_user is not None, "READ_ONLY user should exist in database"
+    assert read_only_user.id not in user_ids, "READ_ONLY user should be filtered from response"
+
 
 def test_get_all_users_by_id(auth_client, loaded_db, app_ctx):
     response = auth_client.get(url_for("api.users-group", id=500))