Management command to refresh permission objects. Closes #1137

docs/source/admin.rst

@@ -104,6 +104,14 @@ created
   ``management``, ``testcases``, ``testplans`` and ``testruns`` applications.
   These are the permissions required for normal usage of Kiwi TCMS!
 
+To ensure that all necessary permissions are assigned to the default
+group (Tester) and that the stale permission objects are removed, after
+the system installation or upgrade use the following management
+command::
+
+    ./manage.py refresh_permissions
+
+
 .. important::
 
     *Tester* is the default group to which new user accounts are assigned!

docs/source/installing_docker.rst

@@ -77,6 +77,15 @@ Then you need to create the first user account::
 
     docker exec -it kiwi_web /Kiwi/manage.py createsuperuser
 
+
+A special group called Tester is created during the installation. This
+is the default group for testers and we do not recommend to alter or
+delete it. It needs certain permissions which can be assigned by the
+command::
+
+    docker exec -it kiwi_web /Kiwi/manage.py refresh_permissions
+
+
 .. warning::
 
     In the command ``docker exec`` the option ``-i`` keeps STDIN open

docs/source/modules/tcms.core.management.commands.refresh_permissions.rst

@@ -0,0 +1,7 @@
+tcms.core.management.commands.refresh\_permissions module
+=========================================================
+
+.. automodule:: tcms.core.management.commands.refresh_permissions
+   :members:
+   :undoc-members:
+   :show-inheritance:

docs/source/modules/tcms.core.management.commands.rst

@@ -13,4 +13,5 @@ Submodules
    :maxdepth: 4
 
    tcms.core.management.commands.migrations_order
+   tcms.core.management.commands.refresh_permissions
    tcms.core.management.commands.set_domain

tcms/core/management/commands/refresh_permissions.py

@@ -0,0 +1,42 @@
+from django.core.management import call_command
+from django.core.management.base import BaseCommand
+from tcms.utils.permissions import assign_default_group_permissions
+
+
+class Command(BaseCommand):
+    help = ('Refresh permissions for Tester group '
+            '(set by DEFAULT_GROUPS setting) and remove stale ones.'
+            )
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            '--noinput', '--no-input', action='store_false',
+            dest='interactive',
+            help='Automatic mode. Does not require user input',
+        )
+
+    def handle(self, *args, **kwargs):
+        output = None
+        if kwargs['verbosity']:
+            output = self.stdout
+
+        call_command('update_permissions', '--verbosity=%i' %
+                     kwargs['verbosity'])
+
+        # Assign permissions to Tester group
+        if output:
+            self.stdout.write('\nSetting up missing permissions')
+        assign_default_group_permissions(output=output, refresh_all=True)
+        if output:
+            self.stdout.write('Done.')
+
+        # Removing stale permissions
+        if output:
+            self.stdout.write('\nRemoving stale permissions')
+        call_command('remove_stale_contenttypes', '--include-stale-apps',
+                     '--verbosity=%i' % kwargs['verbosity'],
+                     interactive=kwargs['interactive'])
+        call_command('clean_orphan_obj_perms', '--verbosity=%i' %
+                     kwargs['verbosity'])
+        if output:
+            self.stdout.write('Done.')

tcms/utils/permissions.py

@@ -3,30 +3,42 @@
 from django.contrib.auth.models import Group, Permission
 
 
-def assign_default_group_permissions():
+def generate_output(output, permissions, group):
+    """
+        Generates verbose output for added permissions
+    """
+    if output:
+        for perm in permissions:
+            output.write('%s.%s added to %s group' %
+                         (perm.content_type.app_label, perm.codename,
+                          group.name))
+
+
+def assign_default_group_permissions(output=None, refresh_all=False):
     """
         Adds the default permissions for Administrator and Tester
         groups!
     """
     admin = Group.objects.get(name='Administrator')
-    if admin.permissions.count() == 0:
-        all_perms = Permission.objects.all()
-        admin.permissions.add(*all_perms)
+    if admin.permissions.count() == 0 or refresh_all:
+        perms_to_add = Permission.objects.exclude(
+            pk__in=admin.permissions.all())
+        admin.permissions.add(*perms_to_add)
+        generate_output(output, perms_to_add, admin)
 
     tester = Group.objects.get(name='Tester')
-    if tester.permissions.count() == 0:
+    tester_perms = tester.permissions.all()
+    if tester_perms.count() == 0 or refresh_all:
         # apply all permissions for test case & product management
         for app_name in ['bugs', 'django_comments', 'linkreference', 'management',
-                         'testcases', 'testplans', 'testruns']:
-            app_perms = Permission.objects.filter(content_type__app_label__contains=app_name)
+                         'testcases', 'testplans', 'testruns', 'attachments']:
+            app_perms = Permission.objects.filter(
+                content_type__app_label__contains=app_name)
+            app_perms = app_perms.exclude(pk__in=tester_perms).exclude(
+                content_type__app_label='attachments',
+                codename='delete_foreign_attachments')
             tester.permissions.add(*app_perms)
-
-    # this app was introduced later and we don't want all of its permissions
-    if tester.permissions.filter(content_type__app_label='attachments').count() == 0:
-        attachment_perms = Permission.objects.filter(
-            content_type__app_label='attachments'
-        ).exclude(codename='delete_foreign_attachments')
-        tester.permissions.add(*attachment_perms)
+            generate_output(output, app_perms, tester)
 
 
 def initiate_user_with_default_setups(user):