Merge pull request #3930 from allegro/dont-remove-extra-permissions-automatically

Dont remove extra permissions automatically

Author: hipek8

src/ralph/__init__.py

@@ -1,14 +1 @@
-from django.db.models.options import Options
-
 __version__ = "3.0.0"
-
-
-def monkey_options_init(self, meta, app_label):
-    self._old__init__(meta, app_label)
-    self.default_permissions = ("add", "change", "delete", "view")
-
-
-Options._old__init__ = Options.__init__
-Options.__init__ = lambda self, meta, app_label=None: monkey_options_init(
-    self, meta, app_label
-)

src/ralph/accounts/management/commands/_base.py

@@ -0,0 +1,115 @@
+"""
+Base command class and utilities for permissions management.
+
+Provides shared functionality like psql-style table output formatting.
+"""
+
+import re
+from typing import Callable
+
+from django.core.management.base import BaseCommand
+
+# Pre-compiled regex for ANSI escape codes
+ANSI_ESCAPE_RE = re.compile(r"\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])")
+
+
+def strip_ansi(text: str) -> str:
+    """Remove ANSI escape codes from text."""
+    return ANSI_ESCAPE_RE.sub("", text)
+
+
+def calculate_column_widths(headers: list[str], rows: list[list]) -> list[int]:
+    """Calculate the maximum width needed for each column."""
+    widths = [len(h) for h in headers]
+    for row in rows:
+        for i, val in enumerate(row):
+            plain_val = strip_ansi(str(val))
+            widths[i] = max(widths[i], len(plain_val))
+    return widths
+
+
+def format_separator(widths: list[int]) -> str:
+    """Format the horizontal separator line."""
+    return "+-" + "-+-".join("-" * w for w in widths) + "-+"
+
+
+def format_header(headers: list[str], widths: list[int]) -> str:
+    """Format the header row."""
+    cells = (h.ljust(widths[i]) for i, h in enumerate(headers))
+    return "| " + " | ".join(cells) + " |"
+
+
+def format_row(
+    row: list,
+    widths: list[int],
+    row_idx: int,
+    style_map: dict[tuple[int, int], Callable],
+) -> str:
+    """Format a single data row with optional styling."""
+    formatted = []
+    for col_idx, val in enumerate(row):
+        cell = str(val).ljust(widths[col_idx])
+        style_fn = style_map.get((row_idx, col_idx))
+        formatted.append(style_fn(cell) if style_fn else cell)
+    return "| " + " | ".join(formatted) + " |"
+
+
+def format_table(
+    headers: list[str],
+    rows: list[list],
+    style_map: dict[tuple[int, int], Callable] = None,
+) -> list[str]:
+    """
+    Format data as psql-style table lines.
+
+    Args:
+        headers: Column header names.
+        rows: List of rows, each row is a list of values.
+        style_map: Optional dict mapping (row_idx, col_idx) to style function.
+
+    Returns:
+        List of formatted lines ready to print.
+    """
+    if not rows:
+        return ["(0 rows)"]
+
+    style_map = style_map or {}
+    widths = calculate_column_widths(headers, rows)
+    separator = format_separator(widths)
+
+    lines = [
+        separator,
+        format_header(headers, widths),
+        separator,
+        *[format_row(row, widths, idx, style_map) for idx, row in enumerate(rows)],
+        separator,
+        f"({len(rows)} rows)",
+    ]
+    return lines
+
+
+def format_summary(active: int, orphaned: int) -> str:
+    """Format permission summary counts."""
+    return (
+        f"\n Active permissions:   {active}\n"
+        f" Orphaned permissions: {orphaned}\n"
+        f" Total in database:    {active + orphaned}\n"
+    )
+
+
+class PermissionBaseCommand(BaseCommand):
+    """Base command with table output utilities."""
+
+    def print_table(
+        self,
+        headers: list[str],
+        rows: list[list],
+        style_map: dict[tuple[int, int], Callable] = None,
+    ):
+        """Print data in psql-style table format."""
+        for line in format_table(headers, rows, style_map):
+            self.stdout.write(line)
+
+    def print_summary(self, active: int, orphaned: int):
+        """Print permission summary counts."""
+        self.stdout.write(format_summary(active, orphaned))

src/ralph/accounts/management/commands/audit_extra_view_permissions.py

@@ -0,0 +1,101 @@
+"""
+Management command to list and audit extra view permissions.
+
+This command provides an overview of all extra view permissions,
+showing which are active, orphaned, and their group assignments.
+"""
+
+import json
+
+from ralph.accounts.management.commands._base import PermissionBaseCommand
+from ralph.lib.permissions.utils import collect_permission_info
+
+
+class Command(PermissionBaseCommand):
+    help = "List and audit all extra view permissions."
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--show-groups",
+            action="store_true",
+            help="Show which groups have each permission.",
+        )
+        parser.add_argument(
+            "--orphaned-only",
+            action="store_true",
+            help="Show only orphaned permissions.",
+        )
+        parser.add_argument(
+            "--format",
+            choices=["table", "json"],
+            default="table",
+            help="Output format (default: table).",
+        )
+
+    def handle(self, *args, **options):
+        show_groups = options["show_groups"]
+        orphaned_only = options["orphaned_only"]
+        output_format = options["format"]
+
+        data, active_count, orphaned_count = collect_permission_info(
+            include_groups=show_groups,
+            orphaned_only=orphaned_only,
+        )
+
+        if output_format == "json":
+            self._output_json(data, active_count, orphaned_count)
+        else:
+            self._output_table(data, active_count, orphaned_count, show_groups)
+
+    def _output_table(self, data, active_count, orphaned_count, show_groups):
+        """Output permissions in psql-style table format."""
+        self.print_summary(active_count, orphaned_count)
+
+        if not data:
+            self.stdout.write("(0 rows)\n")
+            return
+
+        # Build headers and rows
+        headers = ["status", "codename", "name", "content_type"]
+        if show_groups:
+            headers.append("groups")
+
+        rows = []
+        style_map = {}
+
+        for idx, info in enumerate(data):
+            row = [info.status, info.codename, info.name, info.content_type]
+            if show_groups:
+                groups_str = ", ".join(info.groups) or "(none)"
+                row.append(groups_str)
+            rows.append(row)
+
+            # Style the status column
+            if info.is_orphaned:
+                style_map[(idx, 0)] = self.style.ERROR
+            else:
+                style_map[(idx, 0)] = self.style.SUCCESS
+
+        self.print_table(headers, rows, style_map)
+
+    def _output_json(self, data, active_count, orphaned_count):
+        """Output permissions in JSON format."""
+        output = {
+            "summary": {
+                "active_count": active_count,
+                "orphaned_count": orphaned_count,
+                "total_count": active_count + orphaned_count,
+            },
+            "permissions": [
+                {
+                    "codename": info.codename,
+                    "name": info.name,
+                    "content_type": info.content_type,
+                    "status": info.status,
+                    "groups": info.groups,
+                }
+                for info in data
+            ],
+        }
+
+        self.stdout.write(json.dumps(output, indent=2))

src/ralph/accounts/management/commands/cleanup_extra_view_permissions.py

@@ -0,0 +1,101 @@
+"""
+Management command to clean up orphaned extra view permissions.
+
+Orphaned permissions are those that start with 'can_view_extra_' but are not
+associated with any currently registered view. This can happen when views are
+removed or when conditionally-loaded views (e.g., DNSView) are not available
+in the current environment.
+"""
+
+import logging
+
+from ralph.accounts.management.commands._base import PermissionBaseCommand
+from ralph.lib.permissions.views import get_orphaned_extra_view_permissions
+from ralph.lib.permissions.utils import get_permission_groups
+
+logger = logging.getLogger(__name__)
+
+
+class Command(PermissionBaseCommand):
+    help = (
+        "Clean up orphaned extra view permissions that are no longer "
+        "associated with any registered view."
+    )
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--dry-run",
+            action="store_true",
+            help="Show what would be deleted without actually deleting.",
+        )
+        parser.add_argument(
+            "--force",
+            action="store_true",
+            help="Skip confirmation prompt.",
+        )
+        parser.add_argument(
+            "--exclude",
+            action="append",
+            default=[],
+            metavar="CODENAME",
+            help="Exclude permission codename from deletion (can be repeated).",
+        )
+
+    def handle(self, *args, **options):
+        dry_run = options["dry_run"]
+        force = options["force"]
+        exclude = set(options["exclude"])
+
+        orphaned = get_orphaned_extra_view_permissions()
+
+        if exclude:
+            orphaned = orphaned.exclude(codename__in=exclude)
+
+        if not orphaned.exists():
+            self.stdout.write(
+                self.style.SUCCESS("No orphaned extra view permissions found.")
+            )
+            return
+
+        # Display orphaned permissions in table format
+        count = orphaned.count()
+        self.stdout.write(
+            self.style.WARNING(f"\nFound {count} orphaned permission(s):\n")
+        )
+
+        headers = ["codename", "content_type", "groups"]
+        rows = []
+        style_map = {}
+
+        for idx, perm in enumerate(orphaned):
+            groups = get_permission_groups(perm)
+            groups_str = ", ".join(groups) or "(none)"
+            rows.append([perm.codename, str(perm.content_type), groups_str])
+
+        self.print_table(headers, rows, style_map)
+
+        if dry_run:
+            self.stdout.write(
+                self.style.NOTICE("\nDry run - no permissions were deleted.")
+            )
+            return
+
+        if not force:
+            self.stdout.write(
+                self.style.WARNING(
+                    "\nWARNING: Deleting will remove permissions from all groups!"
+                )
+            )
+            confirm = input("Are you sure you want to delete? [y/N]: ")
+            if confirm.lower() != "y":
+                self.stdout.write(self.style.NOTICE("Aborted."))
+                return
+
+        deleted_count, _ = orphaned.delete()
+
+        self.stdout.write(
+            self.style.SUCCESS(f"Deleted {deleted_count} orphaned permission(s).")
+        )
+        logger.info(
+            "Deleted %d orphaned permission(s) via management command.", deleted_count
+        )

src/ralph/accounts/management/commands/export_group_permissions.py

@@ -0,0 +1,42 @@
+"""
+Management command to export group permissions to a JSON file.
+"""
+
+import json
+
+from django.contrib.auth.models import Group
+from django.core.management.base import BaseCommand
+
+
+def export_all_group_permissions() -> dict[str, list[str]]:
+    """Export all group permissions as {group_name: ["app_label.codename", ...]}."""
+    result = {}
+    for group in Group.objects.prefetch_related("permissions__content_type").all():
+        if group.permissions.exists():
+            result[group.name] = [
+                f"{perm.content_type.app_label}.{perm.codename}"
+                for perm in group.permissions.all()
+            ]
+    return result
+
+
+class Command(BaseCommand):
+    help = "Export group permissions to a JSON file."
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "file",
+            help="Output JSON file path.",
+        )
+
+    def handle(self, *args, **options):
+        mappings = export_all_group_permissions()
+
+        with open(options["file"], "w") as f:
+            json.dump(mappings, f, indent=2)
+
+        self.stdout.write(
+            self.style.SUCCESS(
+                f"Exported permissions for {len(mappings)} groups to {options['file']}"
+            )
+        )