Why are we doing this?

In most areas of Job Server, we check someone's access against the permissions they have, which is generally considered best practice as it provides fine-grained control. However, for the staff area, we check against a role instead.

Moving the staff area access to a permission will allow us to assign it to other roles in future. At present, someone needs the StaffAreaAdmin role to view anything in the staff area. We expect that we'll soon be creating a new role, the ProjectAdmin (exact name TBC), who will also need access to the staff area.

This will remove require_role function and partially address #4260.

How will we know when it's done?

All access to the staff area is controlled by a permissions check.

What are we doing?

• Creating a new permission, for staff area access
• Replacing any StaffAreaAdmin role checks with checks for that permission
• Removing any redundant code.

Defining delivery tasks guidance