PlaceCal Norwich's Organiser should have the proper set of permissions

[kimadactyl]

User story

As PlaceCal Norwich's Organiser (PNO), I should only have access to relevant data and actions related to my role.

This should form the basis for a generic "new neighbourhood" type of user. It does not cover adding people to existing areas.

Acceptance criteria

• PNO has permissions "citizen" and "neighbourhood_admin: norwich" and "site_admin for PlaceCal Norwich" and nothing else

In the admin interface, PNO can:

• CRUD only partners in Norwich (including adding categories and facilities tags) see Neighbourhood admins cannot CRUD any partners outside their Neighbourhood #2106
• CRUD only calendars attached to partners in Norwich (see Neighbourhood admins can only CRUD calendars attached to partners in their neighbourhood #2107)
• Neighbourhood admins can only view, update or destroy users who are partner_admin of partners in their neighbourhood #2109
• neighbourhood_admin can create new user IF they are assigned to a partner in their neighbourhood #2113
• A site_admin can Configure key info about the Neighbourhood PlaceCal site (homepage information on norwich.placecal.org including logos etc.) #2108

PNO cannot:

• Neighbourhood admins cannot CRUD any partners outside their Neighbourhood #2106
• Neighbourhood admins can only CRUD calendars attached to partners in their neighbourhood #2107
• Only root users can delete users #2104
• Neighbourhood admins can only assign partners to users (cannot edit other details) #2105
• Do anything with partnerships (just needs verifying)
• Have anything to do with news articles
• Only root admins can edit anything about a neighbourhood #2103
• neighbourhood_admins cannot assign addresses to partners outside their neighbourhood #2119

Implementation notes & questions

Implementation plan

To be written by the developer

[kimadactyl]

Prob this list needs a bit of a discussion

[r-ferrier]

Things that a site_admin in charge of a place based site can edit:

• name
• place name
• tagline
• hero
• description
• published?
• theme
• logo, footer, other image things like credit
• badge zoom level

Things they should not have

• site admin assignation
• other neighbourhoods to include
• other neighbourhood info

[kimadactyl]

Just noting theres more fields than that they shouldnt have - the should list looks correct tho :)

[ivan-kocienski-gfsc]

meeting notes:

trying to not think about how non-root users can create other non root users as this is pretty complex and needs more thought.

[ivan-kocienski-gfsc]

Note: users cannot remove (TD) partnership tags as this will push things out of their scope

[kimadactyl]

Create users assigned to partners in Norwich

I think this already works though? If not fine to remove but it's my understanding this is working and just needs confirming / tests writing for it

Note: users cannot remove (TD) partnership tags as this will push things out of their scope

Wrong ticket?

[ivan-kocienski-gfsc]

Notes on Acceptance criteria

• PNO has permissions "citizen" (given a user with a citizen role)
• PNO is set as neighbourhood_admin: norwich (has one neighbourhood, norwich)
• PNO is set as site_admin for PlaceCal Norwich (has one site, norwich site)

In the admin interface, PNO can:

• CRUD only partners in Norwich (including adding categories and facilities tags)
  • can only see partners in norwich (find partners scope in controller)
  • validates that the partners' address or service area are all in norwich
  • can only add norwich neighbourhoods (or descendants of)
  • cannot remove non norwich neighbourhoods
  • but they can add/remove any category or facility (?)
• CRUD only calendars attached to partners in Norwich
  • add a controller filter that scopes calendars to (partners in neighbourhood)
  • validation of this as well
  • their default location AND partner must be in users allocation
• See users who are partner_admin of partners in Norwich
  • filter scope the users controller to only users with partners in norwich
  • would feel better if this was its own view/controller
  • maybe a view showing a user with all their sites / partners
• Create users assigned to partners in Norwich decided out of scope for this cycle 24.10.23 HA
• Assign existing users to partners in Norwich
  • does this contradict the earlier spec where a user can only see users who manage partners in their neighbourhood?
• Configure key info about the Norwich PlaceCal site (homepage information on norwich.placecal.org including logos etc.)
  • if the user is a site_admin for norwich site then they can already do this

PNO cannot:

• CRUD any partners outside Norwich

  • verify validations on partner model

• CRUD any calendars not attached to Norwich partners

  • much trickier.

• Delete users

  • only root can do this

• Edit users

  • only root can do this

• Do anything with partnerships

  • user cannot apply/remove partnership tags to partners

• Have anything to do with news articles decided out of scope for this cycle 24.10.23 HA

• Edit anything about a neighbourhood

  • only root should be able to do this.

• Cannot remove their site or neighbourhood (?)

I think the hardest thing may be having a user edit a partner that has neighbourhoods outside of their allocation and saving the partner without modifying the outside-of-allocation neighbourhoods whilst still letting them add/remove neighbourhoods within their allocation.

[r-ferrier]

Me and @aaaaargZombies had a big chat about this this morning and broken down the ticket into smaller bits of work.

Everything we think(!) is straightforward has been ticketed, the only outstanding thing is how do neighbourhood admins attach users to partners:

• At the moment, they can only see partners in their neighbourhood, so they cannot make anyone an admin unless they are already in the neighbourhood
• We think it would be most logical to look into allowing them to create a user, which can only be created if it is also made partner admin of one of their partners at the same time

[kimadactyl]

Could we make a new enum/bool for users that's a global admin role called "user admin" or something like that, and then kick it back to another day?

(prob ditto editor, it doesnt make the most sense to have that in the same enum as root)

[r-ferrier]

closing as all fixed! Verified in all the related tickets.

[kimadactyl]

Just noting it's all done - apart from the top checkbox which is kinda the most important one :D

I'll set it now

[katjam]

Verifed in production correct user settings: