Merge pull request #36886 from dimagi/ay/new-superuser-access-to-edit-ff

Grant Edit access to all feature flag categories when creating a new superuser from command line.

Author: ajeety4

corehq/apps/domain/management/commands/make_superuser.py

@@ -7,6 +7,9 @@
 
 from corehq.apps.hqadmin.views.users import send_email_notif
 from corehq.util.signals import signalcommand
+from corehq.toggles import ALL_TAGS
+from corehq.toggles.sql_models import ToggleEditPermission
+
 
 logger = logging.getLogger(__name__)
 
@@ -30,8 +33,11 @@ def get_password_from_user():
     def handle(self, username, **options):
         if not settings.ALLOW_MAKE_SUPERUSER_COMMAND:
             from dimagi.utils.web import get_site_domain
-            raise CommandError(f"""You cannot run this command in SaaS Enviornments.
-            Use https://{get_site_domain()}/hq/admin/superuser_management/ for granting superuser permissions""")
+            raise CommandError(
+                "You cannot run this command in SaaS environments. "
+                f"Use https://{get_site_domain()}/hq/admin/superuser_management/ "
+                "for granting superuser permissions."
+            )
         from corehq.apps.users.models import WebUser
         try:
             validate_email(username)
@@ -55,6 +61,8 @@ def handle(self, username, **options):
         couch_user.is_staff = True
         couch_user.can_assign_superuser = True
 
+        toggle_permission_changes = self.grant_all_tags_edit_permissions(couch_user.username)
+
         if is_superuser_changed or is_staff_changed or can_assign_superuser_changed:
             couch_user.save()
 
@@ -81,4 +89,22 @@ def handle(self, username, **options):
             logger.info("✓ User {} can assign superuser privilege".format(couch_user.username))
             fields_changed['same_management_privilege'] = couch_user.can_assign_superuser
 
+        if toggle_permission_changes['added']:
+            logger.info("→ User {} can now edit all feature flags".format(couch_user.username))
+            fields_changed['toggle_edit_permissions'] = toggle_permission_changes
+        else:
+            logger.info("✓ User {} can edit all feature flags".format(couch_user.username))
+
         send_email_notif([fields_changed], changed_by_user='The make_superuser command')
+
+    @staticmethod
+    def grant_all_tags_edit_permissions(username):
+        toggle_permission_changes = {'added': [], 'removed': []}
+        for tag in ALL_TAGS:
+            toggle_permission = ToggleEditPermission.objects.get_by_tag_slug(tag.slug)
+            if not toggle_permission:
+                toggle_permission = ToggleEditPermission(tag_slug=tag.slug)
+            if username not in toggle_permission.enabled_users:
+                toggle_permission.add_users([username])
+                toggle_permission_changes['added'].append(tag.name)
+        return toggle_permission_changes

corehq/apps/domain/management/commands/tests/test_make_superuser.py

@@ -7,21 +7,22 @@
 from corehq.apps.users.models import FakeUser
 
 
+@patch("corehq.apps.domain.management.commands.make_superuser.Command.grant_all_tags_edit_permissions")
 class TestEmailValidation(SimpleTestCase):
     """Tests the expected behavior of the management command's use of the
     `email_validator` library.
     """
 
-    def test_make_superuser(self):
+    def test_make_superuser(self, *args):
         with patch_fake_webuser():
             call_command("make_superuser", "[email protected]")  # does not raise
 
-    def test_make_superuser_allows_special_domains(self):
+    def test_make_superuser_allows_special_domains(self, *args):
         # as-built with email_validator version 1.1.3
         with patch_fake_webuser():
             call_command("make_superuser", "[email protected]")  # does not raise
 
-    def test_make_superuser_rejects_invalid_email_syntax(self):
+    def test_make_superuser_rejects_invalid_email_syntax(self, *args):
         with patch_fake_webuser(), self.assertRaises(CommandError) as test:
             call_command("make_superuser", "somebody_at_dimagi.com")
         self.assertIsInstance(test.exception.__cause__, ValidationError)