Add rolespermissions module, refractor the group to use it

Update how initial groups are created in the database, instead of
putting them in the migration files, which is quite hard to maintain the
group definitation is now maintained via the AbstractRoles and they
rsync'ed using `python manage.py sync_roles`. It will never delete any
existing group or permissions attached to them.

This PR also updates the `hypha.apply.users.groups` module to
`hypha.apply.users.roles` to better prepare of upcoming changes due to
rolepermissions module

Procfile

@@ -1,2 +1,2 @@
-release: python manage.py migrate --noinput && python manage.py clear_cache --cache=default
+release: python manage.py migrate --noinput && python manage.py clear_cache --cache=default && python manage.py sync_roles
 web: gunicorn hypha.wsgi:application --log-file -

docs/setup/deployment/development/docker.md

@@ -134,6 +134,7 @@ pg_restore --verbose --clean --if-exists --no-acl --no-owner --dbname=hypha --us
 After restoring the sandbox db run the migrate command inside the py container.
 
 ```shell
-docker-compose exec py bash
-python3 manage.py migrate
+docker-compose exec py python3 manage.py migrate
+docker-compose exec py python3 manage.py sync_roles
+
 ```

docs/setup/deployment/development/stand-alone.md

@@ -196,6 +196,7 @@ There are two ways to about it, you can either load demo data from  `/public/san
 
     ```shell
     python3 manage.py migrate
+    python3 manage.py sync_roles
     ```
 
 === "From Scratch"
@@ -209,6 +210,7 @@ There are two ways to about it, you can either load demo data from  `/public/san
 
     ```text
     python3 manage.py migrate
+    python3 manage.py sync_roles
     ```
 
 !!! tip "Tips"

docs/setup/deployment/production/heroku.md

@@ -51,12 +51,13 @@ python3 -c "from django.core.management.utils import get_random_secret_key; prin
 
     ```shell
     heroku run python3 manage.py migrate -a [name-of-app]
+    heroku run python3 manage.py sync_roles -a [name-of-app]
     heroku run python3 manage.py createcachetable -a [name-of-app]
     heroku run python3 manage.py createsuperuser -a [name-of-app]
     heroku run python3 manage.py wagtailsiteupdate [the-public-address] [the-apply-address] 443  -a [name-of-app]
     ```
 
-7. Now add the "release" step back to the "Procfile" and deploy again.
+7. Now add the "release" step back to the `Procfile` and deploy again.
 
 You should now have a running site.
 

docs/setup/deployment/production/stand-alone.md

@@ -152,6 +152,7 @@ npm run build
 python manage.py collectstatic --noinput
 python manage.py createcachetable
 python manage.py migrate --noinput
+python manage.py sync_roles
 python manage.py clear_cache --cache=default
 python manage.py createsuperuser
 python manage.py wagtailsiteupdate apply.server.domain 80

hypha/apply/activity/adapters/emails.py

@@ -11,13 +11,13 @@
 from hypha.apply.activity.models import ALL, APPLICANT_PARTNERS, PARTNER
 from hypha.apply.projects.models.payment import CHANGES_REQUESTED_BY_STAFF, DECLINED
 from hypha.apply.projects.templatetags.project_tags import display_project_status
-from hypha.apply.users.groups import (
+from hypha.apply.users.models import User
+from hypha.apply.users.roles import (
     APPROVER_GROUP_NAME,
     CONTRACTING_GROUP_NAME,
     FINANCE_GROUP_NAME,
     STAFF_GROUP_NAME,
 )
-from hypha.apply.users.models import User
 from hypha.core.mail import (
     language,
     remove_extra_empty_lines,

hypha/apply/activity/adapters/utils.py

@@ -16,12 +16,12 @@
     RESUBMITTED,
     SUBMITTED,
 )
-from hypha.apply.users.groups import (
+from hypha.apply.users.models import User
+from hypha.apply.users.roles import (
     CONTRACTING_GROUP_NAME,
     FINANCE_GROUP_NAME,
     STAFF_GROUP_NAME,
 )
-from hypha.apply.users.models import User
 
 
 def link_to(target, request):

hypha/apply/api/v1/serializers.py

@@ -16,7 +16,7 @@
 )
 from hypha.apply.review.models import Review, ReviewOpinion
 from hypha.apply.review.options import RECOMMENDATION_CHOICES
-from hypha.apply.users.groups import PARTNER_GROUP_NAME, STAFF_GROUP_NAME
+from hypha.apply.users.roles import PARTNER_GROUP_NAME, STAFF_GROUP_NAME
 from hypha.core.utils import markdown_to_html
 
 User = get_user_model()

hypha/apply/funds/management/commands/seed_community_lab_application.py

@@ -7,7 +7,7 @@
 from hypha.apply.funds.models import ApplicationForm, LabType
 from hypha.apply.funds.models.forms import LabBaseForm, LabBaseReviewForm
 from hypha.apply.review.models import ReviewForm
-from hypha.apply.users.groups import STAFF_GROUP_NAME
+from hypha.apply.users.roles import STAFF_GROUP_NAME
 from hypha.home.models import ApplyHomePage
 
 CL_FUND_TITLE = "Community lab (archive fund)"

hypha/apply/funds/management/commands/seed_concept_note.py

@@ -12,7 +12,7 @@
     ApplicationBaseReviewForm,
 )
 from hypha.apply.review.models import ReviewForm
-from hypha.apply.users.groups import STAFF_GROUP_NAME
+from hypha.apply.users.roles import STAFF_GROUP_NAME
 from hypha.home.models import ApplyHomePage
 
 CN_ROUND_TITLE = "Internet Freedom Fund (archive round)"

hypha/apply/funds/management/commands/seed_fellowship.py

@@ -12,7 +12,7 @@
     ApplicationBaseReviewForm,
 )
 from hypha.apply.review.models import ReviewForm
-from hypha.apply.users.groups import STAFF_GROUP_NAME
+from hypha.apply.users.roles import STAFF_GROUP_NAME
 from hypha.home.models import ApplyHomePage
 
 FS_ROUND_TITLE = "Fellowship (archive round)"

hypha/apply/funds/management/commands/seed_rapid_response.py

@@ -12,7 +12,7 @@
     ApplicationBaseReviewForm,
 )
 from hypha.apply.review.models import ReviewForm
-from hypha.apply.users.groups import STAFF_GROUP_NAME
+from hypha.apply.users.roles import STAFF_GROUP_NAME
 from hypha.home.models import ApplyHomePage
 
 RR_ROUND_TITLE = "Rapid Response (archive round)"

hypha/apply/funds/models/submissions.py

@@ -48,7 +48,7 @@
 from hypha.apply.stream_forms.models import BaseStreamForm
 from hypha.apply.todo.options import SUBMISSION_DRAFT
 from hypha.apply.todo.views import remove_tasks_for_user
-from hypha.apply.users.groups import APPLICANT_GROUP_NAME
+from hypha.apply.users.roles import APPLICANT_GROUP_NAME
 
 from ..blocks import NAMED_BLOCKS, ApplicationCustomFormFieldsBlock
 from ..workflow import (

hypha/apply/funds/models/utils.py

@@ -17,7 +17,7 @@
 from hypha.apply.stream_forms.models import AbstractStreamForm
 from hypha.apply.todo.options import SUBMISSION_DRAFT
 from hypha.apply.todo.views import add_task_to_user
-from hypha.apply.users.groups import (
+from hypha.apply.users.roles import (
     COMMUNITY_REVIEWER_GROUP_NAME,
     PARTNER_GROUP_NAME,
     REVIEWER_GROUP_NAME,

hypha/apply/funds/permissions.py

@@ -3,7 +3,7 @@
 
 from hypha.apply.funds.models.submissions import DRAFT_STATE
 
-from ..users.groups import STAFF_GROUP_NAME, SUPERADMIN, TEAMADMIN_GROUP_NAME
+from ..users.roles import STAFF_GROUP_NAME, SUPERADMIN, TEAMADMIN_GROUP_NAME
 
 
 def has_permission(action, user, object=None, raise_exception=True):

hypha/apply/funds/reviewers/services.py

@@ -2,7 +2,7 @@
 from django.db.models import Q
 from django.db.models.query import QuerySet
 
-from hypha.apply.users.groups import STAFF_GROUP_NAME
+from hypha.apply.users.roles import STAFF_GROUP_NAME
 
 User = get_user_model()
 

hypha/apply/funds/tests/factories/models.py

@@ -28,7 +28,7 @@
 )
 from hypha.apply.funds.workflow import ConceptProposal, Request, RequestExternal
 from hypha.apply.stream_forms.testing.factories import FormDataFactory
-from hypha.apply.users.groups import REVIEWER_GROUP_NAME, STAFF_GROUP_NAME
+from hypha.apply.users.roles import REVIEWER_GROUP_NAME, STAFF_GROUP_NAME
 from hypha.apply.users.tests.factories import (
     ApplicantFactory,
     GroupFactory,

hypha/apply/funds/tests/test_admin_views.py

@@ -6,7 +6,7 @@
 from wagtail.test.utils import WagtailTestUtils
 
 from hypha.apply.funds.models.forms import ApplicationForm
-from hypha.apply.users.groups import STAFF_GROUP_NAME
+from hypha.apply.users.roles import STAFF_GROUP_NAME
 from hypha.apply.users.tests.factories import SuperUserFactory
 from hypha.home.factories import ApplyHomePageFactory
 

hypha/apply/funds/views_partials.py

@@ -24,7 +24,7 @@
 from hypha.apply.funds.reviewers.services import get_all_reviewers
 from hypha.apply.funds.services import annotate_review_recommendation_and_count
 from hypha.apply.review.options import REVIEWER
-from hypha.apply.users.groups import REVIEWER_GROUP_NAME
+from hypha.apply.users.roles import REVIEWER_GROUP_NAME
 
 from . import services
 from .models import ApplicationSubmission, Round

hypha/apply/projects/forms/project.py

@@ -8,7 +8,7 @@
 from hypha.apply.funds.models import ApplicationSubmission
 from hypha.apply.stream_forms.fields import SingleFileField
 from hypha.apply.stream_forms.forms import StreamBaseForm
-from hypha.apply.users.groups import STAFF_GROUP_NAME
+from hypha.apply.users.roles import STAFF_GROUP_NAME
 
 from ..models.project import (
     CLOSING,

hypha/apply/projects/service_utils.py

@@ -12,7 +12,7 @@
     remove_tasks_for_user,
     remove_tasks_for_user_group,
 )
-from hypha.apply.users.groups import (
+from hypha.apply.users.roles import (
     APPROVER_GROUP_NAME,
     FINANCE_GROUP_NAME,
 )

hypha/apply/projects/tests/factories.py

@@ -11,7 +11,7 @@
     FormFieldsBlockFactory,
     NonFileFormFieldsBlockFactory,
 )
-from hypha.apply.users.groups import APPROVER_GROUP_NAME, STAFF_GROUP_NAME
+from hypha.apply.users.roles import APPROVER_GROUP_NAME, STAFF_GROUP_NAME
 from hypha.apply.users.tests.factories import GroupFactory, StaffFactory, UserFactory
 
 from ..models.payment import Invoice, InvoiceDeliverable, SupportingDocument

hypha/apply/projects/views/project.py

@@ -61,7 +61,7 @@
     staff_or_finance_or_contracting_required,
     staff_required,
 )
-from hypha.apply.users.groups import CONTRACTING_GROUP_NAME
+from hypha.apply.users.roles import CONTRACTING_GROUP_NAME
 from hypha.apply.utils.models import PDFPageSettings
 from hypha.apply.utils.storage import PrivateMediaView
 from hypha.apply.utils.views import DelegateableView, DelegatedViewMixin, ViewDispatcher

hypha/apply/review/models.py

@@ -8,7 +8,7 @@
 
 from hypha.apply.funds.models.mixins import AccessFormData
 from hypha.apply.stream_forms.models import BaseStreamForm
-from hypha.apply.users.groups import (
+from hypha.apply.users.roles import (
     PARTNER_GROUP_NAME,
     REVIEWER_GROUP_NAME,
     STAFF_GROUP_NAME,

hypha/apply/users/admin_views.py

@@ -4,15 +4,14 @@
 from django.db.models import CharField, Q, Value
 from django.db.models.functions import Coalesce, Lower, NullIf
 from django.template.defaultfilters import mark_safe
+from rolepermissions import roles
 from wagtail.admin.filters import WagtailFilterSet
 from wagtail.compat import AUTH_USER_APP_LABEL, AUTH_USER_MODEL_NAME
 from wagtail.users.views.groups import GroupViewSet
 from wagtail.users.views.groups import IndexView as GroupIndexView
 from wagtail.users.views.users import Index as UserIndexView
 from wagtail.users.views.users import get_users_filter_query
 
-from .models import GroupDesc
-
 User = get_user_model()
 
 # Typically we would check the permission 'auth.change_user' (and 'auth.add_user' /
@@ -147,14 +146,17 @@ class CustomGroupIndexView(GroupIndexView):
 
     def get_queryset(self):
         """
-        Overriding the normal queryset that would return all Group objects, this returnd an iterable of groups with custom names containing HTML help text.
+        Overriding the normal queryset that would return all Group objects, this returned an iterable of groups with custom names containing HTML help text.
         """
         group_qs = super().get_queryset()
 
         custom_groups = []
 
         for group in group_qs:
-            help_text = GroupDesc.get_from_group(group)
+            # Check if the group is a role
+            help_text = getattr(
+                roles.registered_roles.get(group.name, {}), "help_text", ""
+            )
             if help_text:
                 group.name = mark_safe(
                     f"{group.name}<p class=group-help-text>{help_text}</p>"

hypha/apply/users/forms.py

@@ -5,9 +5,10 @@
 from django.template.defaultfilters import mark_safe
 from django.utils.translation import gettext_lazy as _
 from django_select2.forms import Select2Widget
+from rolepermissions import roles
 from wagtail.users.forms import UserCreationForm, UserEditForm
 
-from .models import AuthSettings, GroupDesc
+from .models import AuthSettings
 from .utils import strip_html_and_nerf_urls
 
 User = get_user_model()
@@ -125,7 +126,9 @@ def label_from_instance(self, group_obj):
         """
         Overwriting ModelMultipleChoiceField's label from instance to provide help_text (if it exists)
         """
-        help_text = GroupDesc.get_from_group(group_obj)
+        help_text = getattr(
+            roles.registered_roles.get(group_obj.name, {}), "help_text", ""
+        )
         if help_text:
             return mark_safe(
                 f'{group_obj.name}<p class="group-help-text">{help_text}</p>'

hypha/apply/users/management/commands/migrate_users.py

@@ -7,7 +7,7 @@
 from django.core.management.base import BaseCommand
 from django.db import transaction
 
-from hypha.apply.users.groups import STAFF_GROUP_NAME
+from hypha.apply.users.roles import STAFF_GROUP_NAME
 
 
 class Command(BaseCommand):