Allowing users to delete audit editors

[phildominguez-gsa]

Draft: Coordinating merge with static site update

Addresses #3409

In this PR:

• Adding a link in the audit access management page that lets an editor remove another editor, as long as it's not yourself
• Fixed centering for the Edit column
• Unit tests

Testing:

• Go to the user management page for an audit you've created (this way you are an editor.) Removal links should only exist for those with the editor role.
• Click the Remove link for your user's row and you should get a page saying you're not allowed to. You can use devtools to un-disable the button and submit, but it will error. Now is also a good time to confirm that clicking the cancel button returns you to the user management page.
• Add a new auditor with some test email. Clicking Remove for that editor should show the normal removal page. Clicking the submit button should remove them and return you to the use management page. You can see that they've been added to theaudit_deletedaccess table as well.
• Trying to get to a removal page for an editor that doesn't exist for this audit should 404. To do this, change the id param to some random number. This should also happen if you use the id for a non-editor user, which you can find in audit_access.
• If you're logged in as someone with audit access who is NOT an editor (i.e. a certifier), you shouldn't see the remove column/links at all. If you try to go to a removal url directly, it will error. I think the easiest way to test this is by having the Cypress test create an audit so it can make your normal login email a certifier instead of an editor.

PR Checklist: Submitter

• Link to an issue if possible. If there’s no issue, describe what your branch does. Even if there is an issue, a brief description in the PR is still useful.
• List any special steps reviewers have to follow to test the PR. For example, adding a local environment variable, creating a local test file, etc.
• For extra credit, submit a screen recording like this one.
• Make sure you’ve merged main into your branch shortly before creating the PR. (You should also be merging main into your branch regularly during development.)
• Make sure you’ve accounted for any migrations. When you’re about to create the PR, bring up the application locally and then run git status | grep migrations. If there are any results, you probably need to add them to the branch for the PR. Your PR should have only one new migration file for each of the component apps, except in rare circumstances; you may need to delete some and re-run python manage.py makemigrations to reduce the number to one. (Also, unless in exceptional circumstances, your PR should not delete any migration files.)
• Make sure that whatever feature you’re adding has tests that cover the feature. This includes test coverage to make sure that the previous workflow still works, if applicable.
• Make sure the full-submission.cy.js Cypress test passes, if applicable.
• Do manual testing locally. Our tests are not good enough yet to allow us to skip this step. If that’s not applicable for some reason, check this box.
• Verify that no Git surgery was necessary, or, if it was necessary at any point, repeat the testing after it’s finished.
• Once a PR is merged, keep an eye on it until it’s deployed to dev, and do enough testing on dev to verify that it deployed successfully, the feature works as expected, and the happy path for the broad feature area (such as submission) still works.
• Ensure that prior to merging, the working branch is up to date with main and the terraform plan is what you expect.

PR Checklist: Reviewer

• Pull the branch to your local environment and run make docker-clean; make docker-first-run && docker compose up; then run docker compose exec web /bin/bash -c "python manage.py test"
• Manually test out the changes locally, or check this box to verify that it wasn’t applicable in this case.
• Check that the PR has appropriate tests. Look out for changes in HTML/JS/JSON Schema logic that may need to be captured in Python tests even though the logic isn’t in Python.
• Verify that no Git surgery is necessary at any point (such as during a merge party), or, if it was, repeat the testing after it’s finished.

The larger the PR, the stricter we should be about these points.

Pre Merge Checklist: Merger

• Ensure that prior to approving, the terraform plan is what we expect it to be. -/+ resource "null_resource" "cors_header" should be destroying and recreating its self and ~ resource "cloudfoundry_app" "clamav_api" might be updating its sha256 for the fac-file-scanner and fac-av-${ENV} by default.
• Ensure that the branch is up to date with main.
• Ensure that a terraform plan has been recently generated for the pull request.

[github-actions]

Terraform plan for meta

No changes. Your infrastructure matches the configuration.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Warning: Argument is deprecated

  with module.s3-backups.cloudfoundry_service_instance.bucket,
  on /tmp/terraform-data-dir/modules/s3-backups/s3/main.tf line 14, in resource "cloudfoundry_service_instance" "bucket":
  14:   recursive_delete = var.recursive_delete

Since CF API v3, recursive delete is always done on the cloudcontroller side.
This will be removed in future releases

✅ Plan applied in Deploy to Development and Management Environment #832

[github-actions]

Terraform plan for dev

Plan: 1 to add, 0 to change, 1 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.dev.module.cors.null_resource.cors_header must be replaced
-/+ resource "null_resource" "cors_header" {
!~      id       = "*******************" -> (known after apply)
!~      triggers = { # forces replacement
!~          "always_run" = "2024-10-11T14:56:41Z" -> (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Warning: Argument is deprecated

  with module.dev-backups-bucket.cloudfoundry_service_instance.bucket,
  on /tmp/terraform-data-dir/modules/dev-backups-bucket/s3/main.tf line 14, in resource "cloudfoundry_service_instance" "bucket":
  14:   recursive_delete = var.recursive_delete

Since CF API v3, recursive delete is always done on the cloudcontroller side.
This will be removed in future releases

(and 6 more similar warnings elsewhere)

✅ Plan applied in Deploy to Development and Management Environment #832

[github-actions]

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines	Covered	Coverage	Threshold	Status
18778	17122	91%	0%	🟢

New Files

No new covered files...

Modified Files

No covered modified files...

updated for commit: 79eedfe by action🐍

[rnovak338]

I was able to go through each of your points and confirm the expected behavior.

A small thing I caught (shown below). It seems that for the "Remove Access" page, some of the details in the footer are not visible. For example, My audit has an Entity Name and UEI (and it renders on other pages), but not here. Oddly enough, the report ID still displays.

[phildominguez-gsa]

I was able to go through each of your points and confirm the expected behavior.

A small thing I caught (shown below). It seems that for the "Remove Access" page, some of the details in the footer are not visible. For example, My audit has an Entity Name and UEI (and it renders on other pages), but not here. Oddly enough, the report ID still displays.

Good catch, should be good now

[sambodeme]

@phildominguez-gsa This works as described in the ticket description. One thing I noticed, which could either be included here or turned into a separate ticket, is that when adding an editor, the app does not check if that editor (identified by their email) already exists, nor does it prevent duplicate creation. I was able to add myself as an editor a second time, but the system would not allow me to remove the duplicate record.

[phildominguez-gsa]

@phildominguez-gsa This works as described in the ticket description. One thing I noticed, which could either be included here or turned into a separate ticket, is that when adding an editor, the app does not check if that editor (identified by their email) already exists, nor does it prevent duplicate creation. I was able to add myself as an editor a second time, but the system would not allow me to remove the duplicate record.

Totally agree. My preference would be separate in case this change needs to be reverted, as we don't want to also revert the dupe fix, unless @jadudm has any objections.

[jadudm]

Simplify to "Editors do not have permission to remove their own access."

[phildominguez-gsa]

Done!

[jadudm]

Lets ticket the dupe fix separately, agreed. Reviewed. LGTM. My testing mirrors others; one suggestion on text, and its good to go.

[jadudm]

LGTM. Provides a long-sought feature. Tested locally.

[phildominguez-gsa]

Lets ticket the dupe fix separately, agreed. Reviewed. LGTM. My testing mirrors others; one suggestion on text, and its good to go.

Created a bug ticket here: #4375