Switch require_role to require_permission

For the `StaffAreaAdministrator` role.

This does not remove all checks on the role for staff area access,
since there is also `has_role` which we'll update.

This removes all users of `require_role` which we can now remove.

Author: StevenMaude

jobserver/authorization/decorators.py

@@ -3,7 +3,7 @@
 from django.core.exceptions import PermissionDenied
 
 from .permissions import backend_manage
-from .utils import has_permission, has_role
+from .utils import has_permission
 
 
 def require_permission(permission):
@@ -26,20 +26,4 @@ def wrapper_require_role(request, *args, **kwargs):
     return decorator_require_permission
 
 
-def require_role(role):
-    """Decorator for views which require a given Role"""
-
-    def decorator_require_role(f):  # sigh
-        @wraps(f)
-        def wrapper_require_role(request, *args, **kwargs):
-            if not has_role(request.user, role):
-                raise PermissionDenied
-
-            return f(request, *args, **kwargs)
-
-        return wrapper_require_role
-
-    return decorator_require_role
-
-
 require_manage_backends = require_permission(backend_manage)

staff/views/applications.py

@@ -13,15 +13,15 @@
 from applications.models import Application
 from applications.wizard import Wizard
 from jobserver.actions import projects
-from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_role
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 from jobserver.hash_utils import unhash, unhash_or_404
 from jobserver.models import Org, Project, User
 
 from ..forms import ApplicationApproveForm
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ApplicationApprove(FormView):
     form_class = ApplicationApproveForm
     model = Application
@@ -97,7 +97,7 @@ def get_initial(self):
         return initial
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ApplicationDetail(View):
     def dispatch(self, request, *args, **kwargs):
         self.application = get_object_or_404(
@@ -144,7 +144,7 @@ def post(self, request, *args, **kwargs):
         return redirect("staff:application-detail", self.application.pk_hash)
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ApplicationEdit(UpdateView):
     fields = [
         "status",
@@ -176,7 +176,7 @@ def get_success_url(self):
         return self.object.get_staff_url()
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ApplicationList(ListView):
     response_class = TemplateResponse
     ordering = "-created_at"
@@ -232,7 +232,7 @@ def get_queryset(self):
         return qs.distinct()
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ApplicationRemove(View):
     def post(self, request, *args, **kwargs):
         application = get_object_or_404(
@@ -255,7 +255,7 @@ def post(self, request, *args, **kwargs):
         return redirect("staff:application-list")
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ApplicationRestore(View):
     def post(self, request, *args, **kwargs):
         application = get_object_or_404(

staff/views/dashboards/copiloting.py

@@ -9,8 +9,8 @@
 from django.utils.decorators import method_decorator
 from django.views.generic import TemplateView
 
-from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_role
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 from jobserver.github import GitHubError, _get_github_api
 from jobserver.models import Project, ReleaseFile, Repo
 
@@ -78,7 +78,7 @@ def build_repos_by_project(projects, get_github_api=_get_github_api):
     return {p.pk: [r for r in repos if r["pk"] in p.repo_ids] for p in projects}
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 @method_decorator(csp_exempt(), name="dispatch")
 class Copiloting(TemplateView):
     get_github_api = staticmethod(_get_github_api)

staff/views/dashboards/index.py

@@ -1,10 +1,10 @@
 from django.utils.decorators import method_decorator
 from django.views.generic import TemplateView
 
-from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_role
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class DashboardIndex(TemplateView):
     template_name = "staff/dashboards/index.html"

staff/views/dashboards/projects.py

@@ -6,12 +6,12 @@
 from django.utils.decorators import method_decorator
 from django.views.generic import TemplateView
 
-from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_role
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 from jobserver.models import Org, Project, ReleaseFile
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 @method_decorator(csp_exempt(), name="dispatch")
 class ProjectsDashboard(TemplateView):
     template_name = "staff/dashboards/projects.html"

staff/views/dashboards/repos.py

@@ -10,16 +10,16 @@
 from django.utils.decorators import method_decorator
 from django.views.generic import View
 
-from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_role
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 from jobserver.github import _get_github_api
 from jobserver.models import Project, Repo, Workspace
 
 
 logger = structlog.get_logger(__name__)
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class PrivateReposDashboard(View):
     get_github_api = staticmethod(_get_github_api)
 
@@ -147,7 +147,7 @@ def select(repo):
         )
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ReposWithMultipleProjects(View):
     @csp_exempt()
     def get(self, request, *args, **kwargs):

staff/views/index.py

@@ -7,8 +7,8 @@
 from django.views.generic import View
 
 from applications.models import Application
-from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_role
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 from jobserver.models import Backend, Org, Project, User, Workspace
 
 
@@ -95,7 +95,7 @@ def get_results(q):
     return list(itertools.chain.from_iterable(queries))
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class Index(View):
     def get(self, request, *args, **kwargs):
         q = self.request.GET.get("q")

staff/views/job_requests.py

@@ -4,15 +4,16 @@
 from django.views.generic import DetailView, ListView
 
 from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_role
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 from jobserver.authorization.utils import has_role
 from jobserver.models import Backend, JobRequest, Org, Project, User, Workspace
 from jobserver.views.job_requests import JobRequestCancel as BaseJobRequestCancel
 
 from .qwargs_tools import qwargs
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class JobRequestCancel(BaseJobRequestCancel):
     def user_has_permission_to_cancel(self, request):
         return has_role(request.user, StaffAreaAdministrator)
@@ -21,14 +22,14 @@ def redirect(self):
         return redirect(self.job_request.get_staff_url())
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class JobRequestDetail(DetailView):
     context_object_name = "job_request"
     model = JobRequest
     template_name = "staff/job_request/detail.html"
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class JobRequestList(ListView):
     ordering = "-created_at"
     paginate_by = 25

staff/views/orgs.py

@@ -9,16 +9,17 @@
 from django_htmx.http import HttpResponseClientRedirect
 from furl import furl
 
-from jobserver.authorization import StaffAreaAdministrator, permissions
-from jobserver.authorization.decorators import require_permission, require_role
+from jobserver.authorization import permissions
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 from jobserver.models import Org, OrgMembership, User
 
 from ..forms import OrgAddGitHubOrgForm, OrgAddMemberForm
 from ..htmx_tools import get_redirect_url
 from .qwargs_tools import qwargs
 
 
-@require_role(StaffAreaAdministrator)
+@require_permission(staff_area_access)
 def org_add_github_org(request, slug):
     org = get_object_or_404(Org, slug=slug)
 
@@ -83,7 +84,7 @@ def get_template_names(self):
         return [template_name]
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class OrgDetail(FormView):
     form_class = OrgAddMemberForm
     template_name = "staff/org/detail.html"
@@ -126,7 +127,7 @@ def get_initial(self):
         }
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class OrgEdit(UpdateView):
     fields = [
         "name",
@@ -158,7 +159,7 @@ def form_valid(self, form):
         return redirect(new.get_staff_url())
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class OrgList(ListView):
     queryset = Org.objects.order_by("name")
     paginate_by = 25
@@ -181,7 +182,7 @@ def get_queryset(self):
         return qs.distinct()
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class OrgRemoveGitHubOrg(View):
     def post(self, request, *args, **kwargs):
         org = get_object_or_404(Org, slug=self.kwargs["slug"])
@@ -199,7 +200,7 @@ def post(self, request, *args, **kwargs):
         return redirect(org.get_staff_url())
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class OrgRemoveMember(View):
     def post(self, request, *args, **kwargs):
         org = get_object_or_404(Org, slug=self.kwargs["slug"])

staff/views/projects.py

@@ -17,8 +17,8 @@
 from jobserver.actions import project_members as members
 from jobserver.actions import projects
 from jobserver.auditing.presenters.lookup import get_presenter
-from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_role
+from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.permissions import staff_area_access
 from jobserver.authorization.utils import roles_for
 from jobserver.models import AuditableEvent, Org, Project, ProjectMembership, User
 
@@ -32,7 +32,7 @@
 from .qwargs_tools import qwargs
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ProjectAddMember(FormView):
     form_class = ProjectAddMemberForm
     template_name = "staff/project/membership_create.html"
@@ -72,7 +72,7 @@ def get_initial(self):
         }
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ProjectAuditLog(ListView):
     paginate_by = 25
     template_name = "staff/project/audit_log.html"
@@ -109,7 +109,7 @@ def get_queryset(self):
         return qs.distinct()
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ProjectDetail(DetailView):
     model = Project
     template_name = "staff/project/detail.html"
@@ -129,7 +129,7 @@ def get_context_data(self, **kwargs):
         }
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ProjectEdit(UpdateView):
     form_class = ProjectEditForm
     model = Project
@@ -142,7 +142,7 @@ def form_valid(self, form):
         return redirect(new.get_staff_url())
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ProjectLinkApplication(UpdateView):
     form_class = ProjectLinkApplicationForm
     model = Project
@@ -175,7 +175,7 @@ def get_context_data(self, **kwargs):
         }
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ProjectList(ListView):
     queryset = Project.objects.order_by("-number", Lower("name"))
     paginate_by = 25
@@ -203,7 +203,7 @@ def get_queryset(self):
         return qs.distinct()
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ProjectMembershipEdit(UpdateView):
     context_object_name = "membership"
     form_class = ProjectMembershipForm
@@ -244,7 +244,7 @@ def get_object(self):
         )
 
 
-@method_decorator(require_role(StaffAreaAdministrator), name="dispatch")
+@method_decorator(require_permission(staff_area_access), name="dispatch")
 class ProjectMembershipRemove(View):
     def post(self, request, *args, **kwargs):
         membership = get_object_or_404(