Make the app registration form accessible

App registration form should be open to logged in users, to help enable self service of app registration. Updating connections remains superuser only.
ministryofjustice · Jan 15, 2024 · a7766e6 · a7766e6
1 parent 69570b2
commit a7766e6
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 7 deletions.
diff --git a/controlpanel/api/rules.py b/controlpanel/api/rules.py
@@ -48,7 +48,7 @@ def is_app_admin(user, obj):
 
 
 add_perm("api.list_app", is_authenticated)
-add_perm("api.create_app", is_authenticated & is_superuser)
+add_perm("api.create_app", is_authenticated)
 add_perm("api.retrieve_app", is_authenticated & is_app_admin)
 add_perm("api.update_app", is_authenticated & is_superuser)
 add_perm("api.destroy_app", is_authenticated & is_superuser)
@@ -187,6 +187,8 @@ def is_self(user, other):
 add_perm("api.update_ip_allowlists", is_authenticated & is_superuser)
 add_perm("api.destroy_ip_allowlists", is_authenticated & is_superuser)
 
+add_perm("api.create_connections", is_authenticated & is_superuser)
+
 
 @predicate
 def is_owner(user, obj):

diff --git a/controlpanel/api/serializers.py b/controlpanel/api/serializers.py
@@ -362,7 +362,7 @@ class AppAuthSettingsSerializer(serializers.BaseSerializer):
             "edit_link": "update-app-ip-allowlists"
         },
         cluster.App.AUTH0_CONNECTIONS: {
-            "permission_flag": "api.create_app",
+            "permission_flag": "api.create_connections",
             "edit_link": "update-auth0-connections"
         }
     }

diff --git a/controlpanel/frontend/views/app.py b/controlpanel/frontend/views/app.py
@@ -170,7 +170,7 @@ class UpdateAppAuth0Connections(
 
     form_class = UpdateAppAuth0ConnectionsForm
     model = App
-    permission_required = "api.create_app"
+    permission_required = "api.create_connections"
     template_name = "webapp-auth0-connections-update.html"
     success_url = "manage-app"
 

diff --git a/tests/api/permissions/test_app_permissions.py b/tests/api/permissions/test_app_permissions.py
@@ -98,13 +98,13 @@ def test_authenticated_user_has_basic_perms(client, users):
         (app_detail, "app_user", status.HTTP_403_FORBIDDEN),
         (app_detail, "normal_user", status.HTTP_404_NOT_FOUND),
         (app_delete, "normal_user", status.HTTP_403_FORBIDDEN),
-        (app_create, "normal_user", status.HTTP_403_FORBIDDEN),
+        (app_create, "normal_user", status.HTTP_201_CREATED),
         (app_update, "normal_user", status.HTTP_403_FORBIDDEN),
 
         (app_list, "app_admin", status.HTTP_200_OK),
         (app_detail, "app_admin", status.HTTP_200_OK),
         (app_delete, "app_admin", status.HTTP_403_FORBIDDEN),
-        (app_create, "app_admin", status.HTTP_403_FORBIDDEN),
+        (app_create, "app_admin", status.HTTP_201_CREATED),
         (app_update, "app_admin", status.HTTP_403_FORBIDDEN),
     ],
 )

diff --git a/tests/frontend/views/test_app.py b/tests/frontend/views/test_app.py
@@ -282,8 +282,8 @@ def update_ip_allowlists(client, app, *args):
         (update_auth0_connections, "app_admin", status.HTTP_403_FORBIDDEN),
         (update_auth0_connections, "normal_user", status.HTTP_403_FORBIDDEN),
         (create, "superuser", status.HTTP_200_OK),
-        (create, "app_admin", status.HTTP_403_FORBIDDEN),
-        (create, "normal_user", status.HTTP_403_FORBIDDEN),
+        (create, "app_admin", status.HTTP_200_OK),
+        (create, "normal_user", status.HTTP_200_OK),
         (delete, "superuser", status.HTTP_302_FOUND),
         (delete, "app_admin", status.HTTP_403_FORBIDDEN),
         (delete, "normal_user", status.HTTP_403_FORBIDDEN),