Feature: Clarity on role based access for admin roles in CF

[thomasbergernz]

Description

Superuser status request.user.is_superuser, staff status request.user.is_staff and PI is_pi are built-in roles controlling UI elements and access to functions in ColdFront.
Defining groups with "user permissions" seems another way to grant access to a group-based role. Example: https://coldfront.readthedocs.io/en/latest/howto/roles/director/
Group-based roles can be combined with "staff status". However, when doing so, the CF UI elements are not controlled by the "user permissions" only by "superuser status", "staff status" or "pi status".
So, while it is possible to assign some admin permissions and "staff status", the UI doesn't even offer a link to /admin.
"Admin staff" users can utilise /admin the Django admin UI.
We would like to have a role with e.g. allocation | allocation | Can add allocation permission to see UI elements like the button "Request Resource Allocation".

Component

Projects, Allocations, Administration

Additional information

Right now I have to make more staff a superuser to avoid any issues. This is risky and staff has to be cautious when changing the config.

[dsajdak]

@thomasbergernz I see what you're saying but what is not clear is where you would want to see this "request resource allocation" button. Would you expect if a staff member were viewing a PI's project, they should be able to click that button there? Would you want to see that button under the "View all Allocations" list? Do you have another idea of how you'd like to see that implemented?

[thomasbergernz]

@dsajdak checking is_staff and the permission would be a fine-grained solution.
E.g. when viewing a PI's project, the has_permission = True would show the button when viewing a PI's project.