cisagov · zandercymatics · Nov 21, 2024 · Nov 22, 2024 · Nov 22, 2024 · Nov 22, 2024
@@ -2924,6 +2924,7 @@ document.addEventListener("DOMContentLoaded", () => {
   const select = document.getElementById(`id_${formPrefix}-sub_organization`);
   const suborgContainer = document.getElementById("suborganization-container");
   const suborgDetailsContainer = document.getElementById("suborganization-container__details");
+  const otherContent = document.getElementById("bubblegum")?.value;
   if (!radios || !select || !suborgContainer || !suborgDetailsContainer) return;
 
   // requestingSuborganization: This just broadly determines if they're requesting a suborg at all
@@ -2940,7 +2941,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
   // Add fake "other" option to sub_organization select
   if (select && !Array.from(select.options).some(option => option.value === "other")) {
-    select.add(new Option("Other (enter your organization manually)", "other"));
+    select.add(new Option(otherContent, "other"));
   }
 
   if (requestingNewSuborganization.value === "True") {

@@ -10,18 +10,21 @@
 from .domain_invitation import DomainInvitation
 from .user_domain_role import UserDomainRole
 from .public_contact import PublicContact
+
+# IMPORTANT: UserPortfolioPermission must be before PortfolioInvitation.
+# PortfolioInvitation imports from UserPortfolioPermission, so you will get a circular import otherwise.
+from .user_portfolio_permission import UserPortfolioPermission
+from .portfolio_invitation import PortfolioInvitation
 from .user import User
 from .user_group import UserGroup
 from .website import Website
 from .transition_domain import TransitionDomain
 from .verified_by_staff import VerifiedByStaff
 from .waffle_flag import WaffleFlag
-from .portfolio_invitation import PortfolioInvitation
 from .portfolio import Portfolio
 from .domain_group import DomainGroup
 from .suborganization import Suborganization
 from .senior_official import SeniorOfficial
-from .user_portfolio_permission import UserPortfolioPermission
 from .allowed_email import AllowedEmail
 
 

@@ -1,16 +1,18 @@
 """People are invited by email to administer domains."""
 
 import logging
-from django.contrib.auth import get_user_model
 from django.db import models
 from django_fsm import FSMField, transition
-from registrar.models.domain_invitation import DomainInvitation
-from registrar.models.user_portfolio_permission import UserPortfolioPermission
-from .utility.portfolio_helper import UserPortfolioPermissionChoices, UserPortfolioRoleChoices  # type: ignore
+from django.contrib.auth import get_user_model
+from registrar.models import DomainInvitation, UserPortfolioPermission
+from .utility.portfolio_helper import (
+    UserPortfolioPermissionChoices,
+    UserPortfolioRoleChoices,
+    validate_portfolio_invitation,
+)  # type: ignore
 from .utility.time_stamped_model import TimeStampedModel
 from django.contrib.postgres.fields import ArrayField
 
-
 logger = logging.getLogger(__name__)
 
 
@@ -108,3 +110,8 @@ def retrieve(self):
         if self.additional_permissions and len(self.additional_permissions) > 0:
             user_portfolio_permission.additional_permissions = self.additional_permissions
         user_portfolio_permission.save()
+
+    def clean(self):
+        """Extends clean method to perform additional validation, which can raise errors in django admin."""
+        super().clean()
+        validate_portfolio_invitation(self)
@@ -1,15 +1,13 @@
 import logging
 
-from django.apps import apps
 from django.contrib.auth.models import AbstractUser
 from django.db import models
 from django.db.models import Q
 
-from registrar.models import DomainInformation, UserDomainRole
+from registrar.models import DomainInformation, UserDomainRole, PortfolioInvitation, UserPortfolioPermission
 from registrar.models.utility.portfolio_helper import UserPortfolioPermissionChoices, UserPortfolioRoleChoices
 
 from .domain_invitation import DomainInvitation
-from .portfolio_invitation import PortfolioInvitation
 from .transition_domain import TransitionDomain
 from .verified_by_staff import VerifiedByStaff
 from .domain import Domain
@@ -498,8 +496,6 @@ def get_active_requests_count_in_portfolio(self, request):
     def is_only_admin_of_portfolio(self, portfolio):
         """Check if the user is the only admin of the given portfolio."""
 
-        UserPortfolioPermission = apps.get_model("registrar", "UserPortfolioPermission")
-
         admin_permission = UserPortfolioRoleChoices.ORGANIZATION_ADMIN
 
         admins = UserPortfolioPermission.objects.filter(portfolio=portfolio, roles__contains=[admin_permission])

@@ -1,8 +1,10 @@
 from django.db import models
-from django.forms import ValidationError
-from registrar.models.user_domain_role import UserDomainRole
-from registrar.utility.waffle import flag_is_active_for_user
-from registrar.models.utility.portfolio_helper import UserPortfolioPermissionChoices, UserPortfolioRoleChoices
+from registrar.models import UserDomainRole
+from registrar.models.utility.portfolio_helper import (
+    UserPortfolioPermissionChoices,
+    UserPortfolioRoleChoices,
+    validate_user_portfolio_permission,
+)
 from .utility.time_stamped_model import TimeStampedModel
 from django.contrib.postgres.fields import ArrayField
 
@@ -17,18 +19,29 @@ class Meta:
         UserPortfolioRoleChoices.ORGANIZATION_ADMIN: [
             UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS,
             UserPortfolioPermissionChoices.VIEW_ALL_REQUESTS,
-            UserPortfolioPermissionChoices.EDIT_REQUESTS,
+            UserPortfolioPermissionChoices.VIEW_MEMBERS,
             UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
             UserPortfolioPermissionChoices.EDIT_PORTFOLIO,
             # Domain: field specific permissions
             UserPortfolioPermissionChoices.VIEW_SUBORGANIZATION,
             UserPortfolioPermissionChoices.EDIT_SUBORGANIZATION,
         ],
+        # NOTE: We currently forbid members from posessing view_members or view_all_domains.
+        # If those are added here, clean() will throw errors.
         UserPortfolioRoleChoices.ORGANIZATION_MEMBER: [
             UserPortfolioPermissionChoices.VIEW_PORTFOLIO,
         ],
     }
 
+    # Determines which roles are forbidden for certain role types to possess.
+    FORBIDDEN_PORTFOLIO_ROLE_PERMISSIONS = {
+        UserPortfolioRoleChoices.ORGANIZATION_MEMBER: [
+            UserPortfolioPermissionChoices.VIEW_MEMBERS,
+            UserPortfolioPermissionChoices.EDIT_MEMBERS,
+            UserPortfolioPermissionChoices.VIEW_ALL_DOMAINS,
+        ],
+    }
+
     user = models.ForeignKey(
         "registrar.User",
         null=False,
@@ -106,30 +119,25 @@ def get_portfolio_permissions(cls, roles, additional_permissions):
             portfolio_permissions.update(additional_permissions)
         return list(portfolio_permissions)
 
+    @classmethod
+    def get_forbidden_permissions(cls, roles, additional_permissions):
+        """Some permissions are forbidden for certain roles, like member.
+        This checks for conflicts between the role and additional_permissions."""
+
+        # Get intersection of forbidden permissions across all roles.
+        # This is because if you have roles ["admin", "member"], then they can have the
+        # so called "forbidden" ones. But just member on their own cannot.
+        # The solution to this is to only grab what is only COMMONLY "forbidden".
+        # This will scale if we add more roles in the future.
+        common_forbidden_perms = set.intersection(
+            *(set(cls.FORBIDDEN_PORTFOLIO_ROLE_PERMISSIONS.get(role, [])) for role in roles)
+        )
+
+        # Check if the users current permissions overlap with any forbidden permissions
+        portfolio_permissions = set(cls.get_portfolio_permissions(roles, additional_permissions))
+        return portfolio_permissions & common_forbidden_perms
+
     def clean(self):
         """Extends clean method to perform additional validation, which can raise errors in django admin."""
         super().clean()
-
-        # Check if portfolio is set without accessing the related object.
-        has_portfolio = bool(self.portfolio_id)
-        if not has_portfolio and self._get_portfolio_permissions():
-            raise ValidationError("When portfolio roles or additional permissions are assigned, portfolio is required.")
-
-        if has_portfolio and not self._get_portfolio_permissions():
-            raise ValidationError("When portfolio is assigned, portfolio roles or additional permissions are required.")
-
-        # Check if a user is set without accessing the related object.
-        has_user = bool(self.user_id)
-        if has_user:
-            existing_permission_pks = UserPortfolioPermission.objects.filter(user=self.user).values_list(
-                "pk", flat=True
-            )
-            if (
-                not flag_is_active_for_user(self.user, "multiple_portfolios")
-                and existing_permission_pks.exists()
-                and self.pk not in existing_permission_pks
-            ):
-                raise ValidationError(
-                    "This user is already assigned to a portfolio. "
-                    "Based on current waffle flag settings, users cannot be assigned to multiple portfolios."
-                )
+        validate_user_portfolio_permission(self)
@@ -1,4 +1,8 @@
 from django.db import models
+from django.apps import apps
+from django.forms import ValidationError
+from registrar.utility.waffle import flag_is_active_for_user
+from django.contrib.auth import get_user_model
 
 
 class UserPortfolioRoleChoices(models.TextChoices):
@@ -40,3 +44,130 @@ def get_user_portfolio_permission_label(cls, user_portfolio_permission):
     @classmethod
     def to_dict(cls):
         return {key: value.value for key, value in cls.__members__.items()}
+
+
+def validate_user_portfolio_permission(user_portfolio_permission):
+    """
+    Validates a UserPortfolioPermission instance. Located in portfolio_helper to avoid circular imports
+    between PortfolioInvitation and UserPortfolioPermission models.
+
+    Used in UserPortfolioPermission.clean() for model validation.
+
+    Validates:
+    1. A portfolio must be assigned if roles or additional permissions are specified, and vice versa.
+    2. Assigned roles do not include any forbidden permissions.
+    3. If the 'multiple_portfolios' flag is inactive for the user,
+    they must not have existing portfolio permissions or invitations.
+
+    Raises:
+        ValidationError: If any of the validation rules are violated.
+    """
+    PortfolioInvitation = apps.get_model("registrar.PortfolioInvitation")
+    UserPortfolioPermission = apps.get_model("registrar.UserPortfolioPermission")
+
+    has_portfolio = bool(user_portfolio_permission.portfolio_id)
+    portfolio_permissions = set(user_portfolio_permission._get_portfolio_permissions())
+
+    # == Validate required fields == #
+    if not has_portfolio and portfolio_permissions:
+        raise ValidationError("When portfolio roles or additional permissions are assigned, portfolio is required.")
+
+    if has_portfolio and not portfolio_permissions:
+        raise ValidationError("When portfolio is assigned, portfolio roles or additional permissions are required.")
+
+    # == Validate role permissions. Compares existing permissions to forbidden ones. == #
+    roles = user_portfolio_permission.roles if user_portfolio_permission.roles is not None else []
+    bad_perms = user_portfolio_permission.get_forbidden_permissions(
+        user_portfolio_permission.roles, user_portfolio_permission.additional_permissions
+    )
+    if bad_perms:
+        readable_perms = [
+            UserPortfolioPermissionChoices.get_user_portfolio_permission_label(perm) for perm in bad_perms
+        ]
+        readable_roles = [UserPortfolioRoleChoices.get_user_portfolio_role_label(role) for role in roles]
+        raise ValidationError(
+            f"These permissions cannot be assigned to {', '.join(readable_roles)}: <{', '.join(readable_perms)}>"
+        )
+
+    if not flag_is_active_for_user(user_portfolio_permission.user, "multiple_portfolios"):
+        existing_permissions = UserPortfolioPermission.objects.exclude(id=user_portfolio_permission.id).filter(
+            user=user_portfolio_permission.user
+        )
+
+        existing_invitations = PortfolioInvitation.objects.filter(email=user_portfolio_permission.user.email)
+
+        if existing_permissions.exists():
+            raise ValidationError(
+                "This user is already assigned to a portfolio. "
+                "Based on current waffle flag settings, users cannot be assigned to multiple portfolios."
+            )
+
+        if existing_invitations.exists():
+            raise ValidationError(
+                "This user is already assigned to a portfolio invitation. "
+                "Based on current waffle flag settings, users cannot be assigned to multiple portfolios."
+            )
+
+
+def validate_portfolio_invitation(portfolio_invitation):
+    """
+    Validates a PortfolioInvitation instance. Located in portfolio_helper to avoid circular imports
+    between PortfolioInvitation and UserPortfolioPermission models.
+
+    Used in PortfolioInvitation.clean() for model validation.
+
+    Validates:
+    1. A portfolio must be assigned if roles or additional permissions are specified, and vice versa.
+    2. Assigned roles do not include any forbidden permissions.
+    3. If the 'multiple_portfolios' flag is inactive for the user,
+    they must not have existing portfolio permissions or invitations.
+
+    Raises:
+        ValidationError: If any of the validation rules are violated.
+    """
+    PortfolioInvitation = apps.get_model("registrar.PortfolioInvitation")
+    UserPortfolioPermission = apps.get_model("registrar.UserPortfolioPermission")
+    User = get_user_model()
+
+    has_portfolio = bool(portfolio_invitation.portfolio_id)
+    portfolio_permissions = set(portfolio_invitation.get_portfolio_permissions())
+
+    # == Validate required fields == #
+    if not has_portfolio and portfolio_permissions:
+        raise ValidationError("When portfolio roles or additional permissions are assigned, portfolio is required.")
+
+    if has_portfolio and not portfolio_permissions:
+        raise ValidationError("When portfolio is assigned, portfolio roles or additional permissions are required.")
+
+    roles = portfolio_invitation.roles if portfolio_invitation.roles is not None else []
+    bad_perms = UserPortfolioPermission.get_forbidden_permissions(
+        portfolio_invitation.roles, portfolio_invitation.additional_permissions
+    )
+    if bad_perms:
+        readable_perms = [
+            UserPortfolioPermissionChoices.get_user_portfolio_permission_label(perm) for perm in bad_perms
+        ]
+        readable_roles = [UserPortfolioRoleChoices.get_user_portfolio_role_label(role) for role in roles]
+        raise ValidationError(
+            f"These permissions cannot be assigned to {', '.join(readable_roles)}: <{', '.join(readable_perms)}>"
+        )
+
+    user = User.objects.filter(email=portfolio_invitation.email).first()
+    if not flag_is_active_for_user(user, "multiple_portfolios"):
+        existing_permissions = UserPortfolioPermission.objects.filter(user=user)
+
+        existing_invitations = PortfolioInvitation.objects.exclude(id=portfolio_invitation.id).filter(
+            email=portfolio_invitation.email
+        )
+
+        if existing_permissions.exists():
+            raise ValidationError(
+                "This user is already assigned to a portfolio. "
+                "Based on current waffle flag settings, users cannot be assigned to multiple portfolios."
+            )
+
+        if existing_invitations.exists():
+            raise ValidationError(
+                "This user is already assigned to a portfolio invitation. "
+                "Based on current waffle flag settings, users cannot be assigned to multiple portfolios."
+            )
@@ -7,6 +7,7 @@
 {% endblock %}
 
 {% block form_fields %}
+    <input id="bubblegum" class="display-none" value="Other (enter your suborganization manually)">
     <fieldset class="usa-fieldset">
         <legend>
         <h2>Who will use the domain you’re requesting?</h2>