posthog/ee/models/rbac/organization_resource_access.py

from django.db import models

from posthog.models.organization import Organization

# NOTE: This will be deprecated in favour of the AccessControl model


class OrganizationResourceAccess(models.Model):
    class AccessLevel(models.IntegerChoices):
        """Level for which a role or user can edit or view resources"""

        CAN_ONLY_VIEW = 21, "Can only view"
        CAN_ALWAYS_EDIT = 37, "Can always edit"

    class Resources(models.TextChoices):
        FEATURE_FLAGS = "feature flags", "feature flags"
        EXPERIMENTS = "experiments", "experiments"
        COHORTS = "cohorts", "cohorts"
        DATA_MANAGEMENT = "data management", "data management"
        SESSION_RECORDINGS = "session recordings", "session recordings"
        INSIGHTS = "insights", "insights"
        DASHBOARDS = "dashboards", "dashboards"

    resource = models.CharField(max_length=32, choices=Resources.choices)
    access_level = models.PositiveSmallIntegerField(default=AccessLevel.CAN_ALWAYS_EDIT, choices=AccessLevel.choices)
    organization = models.ForeignKey(Organization, on_delete=models.CASCADE, related_name="resource_access")
    created_by = models.ForeignKey(
        "posthog.User",
        on_delete=models.SET_NULL,
        null=True,
    )
    created_at = models.DateTimeField(auto_now_add=True)
    updated_at = models.DateTimeField(auto_now=True)

    class Meta:
        constraints = [
            models.UniqueConstraint(
                fields=["organization", "resource"],
                name="unique resource per organization",
            )
        ]
feat: role based permissions (#12657) * initial role and role memberships setup * create role when org is created and role memberships when user joins * wip for merge * fix api tests for role * nest roles under organization route and test fixes * remove pdb set trace * fix types * remove creating default roles and role memberships for orgs and users * add permission levels to orgs and roles * bulk create role memberships * leave role membership as individual api request, handle bulk creation on the frontend instead * feature flag role access wip and migrations * fix flag role access tests * linter * isort * temp type ignore * add access level to plugin tests * test remove test migration safe * test license import error fix * delete old? org license test * nvm we need these tests * type ignore * reset license plans after test * add organization resource access model and remove access level field from regular organizations * feat: permission return on feature flag (#12826) * suggested permission return * change naming * add changes * pass bool * fix plugin tests * organization resource access tests and fixes * update can edit return with new org resource access model from feature flag * fix tests * add permissions to feature flag for editing * more tests * remove unnecessary spacing * fix test * add context for feature flag serializer tests * add back workflow test step * add organization to feature flag role access * fix(spike): why are tests failing (#12858) * was it because invalid id is provided? * allow django to touch the db * a less unexpected way of allowing access to the DB * Revert "add organization to feature flag role access" This reverts commit ef18b0ec8b0bca0dede6a8614eb94f5879f442a7. * address feedback and include organization safety checks in tests * test error fix * test role dupe name per org * remove third access level option * fix migration for it * more tests * fix test * feat: role based permissions UI (#12776) * add api * starter * role and member creation + deletion * working with all deletes * add block * working roles * permissions tab on org settings * org default setting * types * flag role assignment * working per flag permission * working with admin block * types * use restricted area component * wrap flag resource access in different url * restore migrations manifest * update url endpoints * pay gate mini org role settings * remove view and custom edit and remove resource access creation on org creation * add feature flag * address feedback * fix backend tests * remove broken permissions setting on new feature flags * export logic props interface Co-authored-by: Li Yi Yu <li@posthog.com> * type fixes Co-authored-by: Eric Duong <eeoneric@gmail.com> Co-authored-by: Paul D'Ambra <paul@posthog.com> 2022-11-24 02:36:29 +01:00			`from django.db import models`

			`from posthog.models.organization import Organization`

feat: rbac initial set up (#25745) Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> 2024-10-29 22:17:27 +01:00			`# NOTE: This will be deprecated in favour of the AccessControl model`

feat: role based permissions (#12657) * initial role and role memberships setup * create role when org is created and role memberships when user joins * wip for merge * fix api tests for role * nest roles under organization route and test fixes * remove pdb set trace * fix types * remove creating default roles and role memberships for orgs and users * add permission levels to orgs and roles * bulk create role memberships * leave role membership as individual api request, handle bulk creation on the frontend instead * feature flag role access wip and migrations * fix flag role access tests * linter * isort * temp type ignore * add access level to plugin tests * test remove test migration safe * test license import error fix * delete old? org license test * nvm we need these tests * type ignore * reset license plans after test * add organization resource access model and remove access level field from regular organizations * feat: permission return on feature flag (#12826) * suggested permission return * change naming * add changes * pass bool * fix plugin tests * organization resource access tests and fixes * update can edit return with new org resource access model from feature flag * fix tests * add permissions to feature flag for editing * more tests * remove unnecessary spacing * fix test * add context for feature flag serializer tests * add back workflow test step * add organization to feature flag role access * fix(spike): why are tests failing (#12858) * was it because invalid id is provided? * allow django to touch the db * a less unexpected way of allowing access to the DB * Revert "add organization to feature flag role access" This reverts commit ef18b0ec8b0bca0dede6a8614eb94f5879f442a7. * address feedback and include organization safety checks in tests * test error fix * test role dupe name per org * remove third access level option * fix migration for it * more tests * fix test * feat: role based permissions UI (#12776) * add api * starter * role and member creation + deletion * working with all deletes * add block * working roles * permissions tab on org settings * org default setting * types * flag role assignment * working per flag permission * working with admin block * types * use restricted area component * wrap flag resource access in different url * restore migrations manifest * update url endpoints * pay gate mini org role settings * remove view and custom edit and remove resource access creation on org creation * add feature flag * address feedback * fix backend tests * remove broken permissions setting on new feature flags * export logic props interface Co-authored-by: Li Yi Yu <li@posthog.com> * type fixes Co-authored-by: Eric Duong <eeoneric@gmail.com> Co-authored-by: Paul D'Ambra <paul@posthog.com> 2022-11-24 02:36:29 +01:00
			`class OrganizationResourceAccess(models.Model):`
			`class AccessLevel(models.IntegerChoices):`
			`"""Level for which a role or user can edit or view resources"""`

			`CAN_ONLY_VIEW = 21, "Can only view"`
			`CAN_ALWAYS_EDIT = 37, "Can always edit"`

			`class Resources(models.TextChoices):`
			`FEATURE_FLAGS = "feature flags", "feature flags"`
			`EXPERIMENTS = "experiments", "experiments"`
			`COHORTS = "cohorts", "cohorts"`
			`DATA_MANAGEMENT = "data management", "data management"`
			`SESSION_RECORDINGS = "session recordings", "session recordings"`
			`INSIGHTS = "insights", "insights"`
			`DASHBOARDS = "dashboards", "dashboards"`

chore(deps): Upgrade mypy, stubs, and ruff (#24500) Also remove type annotations for Django fields, due to updates to the stubs and possibly to mypy they are actively unhelpful now. 2024-08-22 11:42:25 +02:00			`resource = models.CharField(max_length=32, choices=Resources.choices)`
			`access_level = models.PositiveSmallIntegerField(default=AccessLevel.CAN_ALWAYS_EDIT, choices=AccessLevel.choices)`
			`organization = models.ForeignKey(Organization, on_delete=models.CASCADE, related_name="resource_access")`
			`created_by = models.ForeignKey(`
feat: role based permissions (#12657) * initial role and role memberships setup * create role when org is created and role memberships when user joins * wip for merge * fix api tests for role * nest roles under organization route and test fixes * remove pdb set trace * fix types * remove creating default roles and role memberships for orgs and users * add permission levels to orgs and roles * bulk create role memberships * leave role membership as individual api request, handle bulk creation on the frontend instead * feature flag role access wip and migrations * fix flag role access tests * linter * isort * temp type ignore * add access level to plugin tests * test remove test migration safe * test license import error fix * delete old? org license test * nvm we need these tests * type ignore * reset license plans after test * add organization resource access model and remove access level field from regular organizations * feat: permission return on feature flag (#12826) * suggested permission return * change naming * add changes * pass bool * fix plugin tests * organization resource access tests and fixes * update can edit return with new org resource access model from feature flag * fix tests * add permissions to feature flag for editing * more tests * remove unnecessary spacing * fix test * add context for feature flag serializer tests * add back workflow test step * add organization to feature flag role access * fix(spike): why are tests failing (#12858) * was it because invalid id is provided? * allow django to touch the db * a less unexpected way of allowing access to the DB * Revert "add organization to feature flag role access" This reverts commit ef18b0ec8b0bca0dede6a8614eb94f5879f442a7. * address feedback and include organization safety checks in tests * test error fix * test role dupe name per org * remove third access level option * fix migration for it * more tests * fix test * feat: role based permissions UI (#12776) * add api * starter * role and member creation + deletion * working with all deletes * add block * working roles * permissions tab on org settings * org default setting * types * flag role assignment * working per flag permission * working with admin block * types * use restricted area component * wrap flag resource access in different url * restore migrations manifest * update url endpoints * pay gate mini org role settings * remove view and custom edit and remove resource access creation on org creation * add feature flag * address feedback * fix backend tests * remove broken permissions setting on new feature flags * export logic props interface Co-authored-by: Li Yi Yu <li@posthog.com> * type fixes Co-authored-by: Eric Duong <eeoneric@gmail.com> Co-authored-by: Paul D'Ambra <paul@posthog.com> 2022-11-24 02:36:29 +01:00			`"posthog.User",`
			`on_delete=models.SET_NULL,`
			`null=True,`
			`)`
chore(deps): Upgrade mypy, stubs, and ruff (#24500) Also remove type annotations for Django fields, due to updates to the stubs and possibly to mypy they are actively unhelpful now. 2024-08-22 11:42:25 +02:00			`created_at = models.DateTimeField(auto_now_add=True)`
			`updated_at = models.DateTimeField(auto_now=True)`
feat: role based permissions (#12657) * initial role and role memberships setup * create role when org is created and role memberships when user joins * wip for merge * fix api tests for role * nest roles under organization route and test fixes * remove pdb set trace * fix types * remove creating default roles and role memberships for orgs and users * add permission levels to orgs and roles * bulk create role memberships * leave role membership as individual api request, handle bulk creation on the frontend instead * feature flag role access wip and migrations * fix flag role access tests * linter * isort * temp type ignore * add access level to plugin tests * test remove test migration safe * test license import error fix * delete old? org license test * nvm we need these tests * type ignore * reset license plans after test * add organization resource access model and remove access level field from regular organizations * feat: permission return on feature flag (#12826) * suggested permission return * change naming * add changes * pass bool * fix plugin tests * organization resource access tests and fixes * update can edit return with new org resource access model from feature flag * fix tests * add permissions to feature flag for editing * more tests * remove unnecessary spacing * fix test * add context for feature flag serializer tests * add back workflow test step * add organization to feature flag role access * fix(spike): why are tests failing (#12858) * was it because invalid id is provided? * allow django to touch the db * a less unexpected way of allowing access to the DB * Revert "add organization to feature flag role access" This reverts commit ef18b0ec8b0bca0dede6a8614eb94f5879f442a7. * address feedback and include organization safety checks in tests * test error fix * test role dupe name per org * remove third access level option * fix migration for it * more tests * fix test * feat: role based permissions UI (#12776) * add api * starter * role and member creation + deletion * working with all deletes * add block * working roles * permissions tab on org settings * org default setting * types * flag role assignment * working per flag permission * working with admin block * types * use restricted area component * wrap flag resource access in different url * restore migrations manifest * update url endpoints * pay gate mini org role settings * remove view and custom edit and remove resource access creation on org creation * add feature flag * address feedback * fix backend tests * remove broken permissions setting on new feature flags * export logic props interface Co-authored-by: Li Yi Yu <li@posthog.com> * type fixes Co-authored-by: Eric Duong <eeoneric@gmail.com> Co-authored-by: Paul D'Ambra <paul@posthog.com> 2022-11-24 02:36:29 +01:00
			`class Meta:`
			`constraints = [`
chore: upgraded Ruff linter (#18188) * Upgraded Ruff linter * Formatted whole codebase with new ruff rules * Revert import removal * Fixed mypi issues or added ignores * Fixed schema formatting * Fixed hogvm failing tests * Remove duplicate key in list 2023-10-26 12:38:15 +02:00			`models.UniqueConstraint(`
			`fields=["organization", "resource"],`
			`name="unique resource per organization",`
			`)`
feat: role based permissions (#12657) * initial role and role memberships setup * create role when org is created and role memberships when user joins * wip for merge * fix api tests for role * nest roles under organization route and test fixes * remove pdb set trace * fix types * remove creating default roles and role memberships for orgs and users * add permission levels to orgs and roles * bulk create role memberships * leave role membership as individual api request, handle bulk creation on the frontend instead * feature flag role access wip and migrations * fix flag role access tests * linter * isort * temp type ignore * add access level to plugin tests * test remove test migration safe * test license import error fix * delete old? org license test * nvm we need these tests * type ignore * reset license plans after test * add organization resource access model and remove access level field from regular organizations * feat: permission return on feature flag (#12826) * suggested permission return * change naming * add changes * pass bool * fix plugin tests * organization resource access tests and fixes * update can edit return with new org resource access model from feature flag * fix tests * add permissions to feature flag for editing * more tests * remove unnecessary spacing * fix test * add context for feature flag serializer tests * add back workflow test step * add organization to feature flag role access * fix(spike): why are tests failing (#12858) * was it because invalid id is provided? * allow django to touch the db * a less unexpected way of allowing access to the DB * Revert "add organization to feature flag role access" This reverts commit ef18b0ec8b0bca0dede6a8614eb94f5879f442a7. * address feedback and include organization safety checks in tests * test error fix * test role dupe name per org * remove third access level option * fix migration for it * more tests * fix test * feat: role based permissions UI (#12776) * add api * starter * role and member creation + deletion * working with all deletes * add block * working roles * permissions tab on org settings * org default setting * types * flag role assignment * working per flag permission * working with admin block * types * use restricted area component * wrap flag resource access in different url * restore migrations manifest * update url endpoints * pay gate mini org role settings * remove view and custom edit and remove resource access creation on org creation * add feature flag * address feedback * fix backend tests * remove broken permissions setting on new feature flags * export logic props interface Co-authored-by: Li Yi Yu <li@posthog.com> * type fixes Co-authored-by: Eric Duong <eeoneric@gmail.com> Co-authored-by: Paul D'Ambra <paul@posthog.com> 2022-11-24 02:36:29 +01:00			`]`