Check has_permission for staff area

Instead of `has_role`.

This replaces the remaining checks against the `StaffAreaAdministrator`
role to access the staff area.

Author: StevenMaude

applications/views.py

@@ -9,9 +9,7 @@
 from django.views.generic import CreateView, RedirectView, UpdateView, View
 
 from jobserver.authorization import (
-    StaffAreaAdministrator,
     has_permission,
-    has_role,
     permissions,
 )
 from jobserver.hash_utils import unhash_or_404
@@ -192,7 +190,9 @@ def page(request, pk_hash, key):
     # check the user can access this application
     validate_application_access(request.user, application)
 
-    if application.approved_at and not has_role(request.user, StaffAreaAdministrator):
+    if application.approved_at and not has_permission(
+        request.user, permissions.staff_area_access
+    ):
         messages.warning(
             request, "This application has been approved and can no longer be edited"
         )

jobserver/context_processors.py

@@ -6,7 +6,8 @@
 from django.urls import reverse
 from furl import furl
 
-from .authorization import StaffAreaAdministrator, has_role
+from jobserver.authorization import has_permission, permissions
+
 from .models import Backend, SiteAlert
 from .nav import NavItem, iter_nav
 
@@ -31,7 +32,9 @@ def in_production(request):
 
 def can_view_staff_area(request):
     user = getattr(request, "user", None) or AnonymousUser()
-    return {"user_can_view_staff_area": has_role(user, StaffAreaAdministrator)}
+    return {
+        "user_can_view_staff_area": has_permission(user, permissions.staff_area_access)
+    }
 
 
 def disable_creating_jobs(request):

jobserver/views/job_requests.py

@@ -20,9 +20,7 @@
 
 from .. import honeycomb
 from ..authorization import (
-    StaffAreaAdministrator,
     has_permission,
-    has_role,
     permissions,
 )
 from ..backends import backends_to_choices
@@ -321,7 +319,9 @@ def get(self, request, *args, **kwargs):
         can_cancel_jobs = job_request.created_by == request.user or has_permission(
             request.user, permissions.job_cancel, project=job_request.workspace.project
         )
-        honeycomb_can_view_links = has_role(self.request.user, StaffAreaAdministrator)
+        honeycomb_can_view_links = has_permission(
+            self.request.user, permissions.staff_area_access
+        )
 
         # build up is_missing_updates to define if we've not seen the backend
         # running this JobRequest for a while.

jobserver/views/jobs.py

@@ -8,9 +8,7 @@
 
 from .. import honeycomb
 from ..authorization import (
-    StaffAreaAdministrator,
     has_permission,
-    has_role,
     permissions,
 )
 from ..models import Job, JobRequest
@@ -62,7 +60,9 @@ def get(self, request, *args, **kwargs):
             project=job.job_request.workspace.project,
         )
 
-        honeycomb_can_view_links = has_role(self.request.user, StaffAreaAdministrator)
+        honeycomb_can_view_links = has_permission(
+            self.request.user, permissions.staff_area_access
+        )
 
         # we need all HTML to be in HTML files, so we built this here and make
         # use of it in the template rather than looking it up with a templatetag

jobserver/views/workspaces.py

@@ -13,9 +13,7 @@
 from django.views.generic import CreateView, FormView, ListView, View
 
 from ..authorization import (
-    StaffAreaAdministrator,
     has_permission,
-    has_role,
     permissions,
 )
 from ..forms import (
@@ -201,7 +199,9 @@ def get(self, request, *args, **kwargs):
         # Should we show the admin section in the UI?
         show_admin = can_archive_workspace or can_toggle_notifications
 
-        honeycomb_can_view_links = has_role(self.request.user, StaffAreaAdministrator)
+        honeycomb_can_view_links = has_permission(
+            self.request.user, permissions.staff_area_access
+        )
 
         outputs = self.get_output_permissions(workspace)
 

staff/views/job_requests.py

@@ -3,10 +3,11 @@
 from django.utils.decorators import method_decorator
 from django.views.generic import DetailView, ListView
 
-from jobserver.authorization import StaffAreaAdministrator
-from jobserver.authorization.decorators import require_permission
+from jobserver.authorization.decorators import (
+    has_permission,
+    require_permission,
+)
 from jobserver.authorization.permissions import staff_area_access
-from jobserver.authorization.utils import has_role
 from jobserver.models import Backend, JobRequest, Org, Project, User, Workspace
 from jobserver.views.job_requests import JobRequestCancel as BaseJobRequestCancel
 
@@ -16,7 +17,7 @@
 @method_decorator(require_permission(staff_area_access), name="dispatch")
 class JobRequestCancel(BaseJobRequestCancel):
     def user_has_permission_to_cancel(self, request):
-        return has_role(request.user, StaffAreaAdministrator)
+        return has_permission(request.user, staff_area_access)
 
     def redirect(self):
         return redirect(self.job_request.get_staff_url())

tests/unit/jobserver/test_nav.py

@@ -1,6 +1,6 @@
 import pytest
 
-from jobserver.authorization import StaffAreaAdministrator, has_role
+from jobserver.authorization import StaffAreaAdministrator, has_permission, permissions
 from jobserver.nav import NavItem, iter_nav
 
 from ...factories import UserFactory
@@ -71,7 +71,9 @@ def test_iter_nav_optional_items(rf, roles, expected):
         NavItem(
             name="Only Shown for CoreDevs",
             url_name="staff:user-list",
-            predicate=lambda request: has_role(request.user, StaffAreaAdministrator),
+            predicate=lambda request: has_permission(
+                request.user, permissions.staff_area_access
+            ),
         ),
     ]