snapshot: preserve branding foundation and platform owner split

backend/workflows/roles.py

@@ -4,12 +4,14 @@ from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
 from django.utils.translation import gettext_lazy as _
 
+ROLE_PLATFORM_OWNER = 'platform_owner'
 ROLE_SUPER_ADMIN = 'super_admin'
 ROLE_ADMIN = 'admin'
 ROLE_IT_STAFF = 'it_staff'
 ROLE_STAFF = 'staff'
 
 ROLE_GROUP_NAMES = {
+    ROLE_PLATFORM_OWNER: 'Platform Owner',
     ROLE_SUPER_ADMIN: 'Super Admin',
     ROLE_ADMIN: 'Admin',
     ROLE_IT_STAFF: 'IT Staff',
@@ -17,6 +19,7 @@ ROLE_GROUP_NAMES = {
 }
 
 ROLE_LABELS = {
+    ROLE_PLATFORM_OWNER: _('Platform Owner'),
     ROLE_SUPER_ADMIN: _('Super Admin'),
     ROLE_ADMIN: _('Admin'),
     ROLE_IT_STAFF: _('IT Staff'),
@@ -24,19 +27,20 @@ ROLE_LABELS = {
 }
 
 CAPABILITIES = {
-    'manage_users': {ROLE_SUPER_ADMIN},
-    'access_requests_dashboard': {ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
-    'run_intro_session': {ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
-    'generate_intro_pdfs': {ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
-    'retry_requests': {ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
-    'delete_requests': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
-    'manage_integrations': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
-    'manage_welcome_emails': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
-    'manage_builders': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
-    'view_audit_log': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
-    'manage_backups': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
-    'view_docs': {ROLE_SUPER_ADMIN, ROLE_ADMIN},
-    'access_django_admin_link': {ROLE_SUPER_ADMIN},
+    'manage_users': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN},
+    'manage_product_branding': {ROLE_PLATFORM_OWNER},
+    'access_requests_dashboard': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
+    'run_intro_session': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
+    'generate_intro_pdfs': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
+    'retry_requests': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF},
+    'delete_requests': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'manage_integrations': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'manage_welcome_emails': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'manage_builders': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'view_audit_log': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'manage_backups': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'view_docs': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN},
+    'access_django_admin_link': {ROLE_PLATFORM_OWNER},
 }
 
 
@@ -54,16 +58,17 @@ def assign_user_role(user, role_key: str) -> None:
     user.groups.remove(*role_groups)
     user.groups.add(Group.objects.get(name=ROLE_GROUP_NAMES[role_key]))
 
+    is_product_owner = role_key == ROLE_PLATFORM_OWNER
     is_super_admin = role_key == ROLE_SUPER_ADMIN
-    user.is_staff = is_super_admin
-    user.is_superuser = is_super_admin
+    user.is_staff = is_product_owner or is_super_admin
+    user.is_superuser = is_product_owner
     user.save(update_fields=['is_staff', 'is_superuser'])
 
 
 def ensure_bootstrap_role_assignments() -> None:
     user_model = get_user_model()
     bootstrap_roles = {
-        'admin_test': ROLE_SUPER_ADMIN,
+        'admin_test': ROLE_PLATFORM_OWNER,
         'user_test': ROLE_STAFF,
     }
     role_group_names = set(ROLE_GROUP_NAMES.values())
@@ -72,6 +77,12 @@ def ensure_bootstrap_role_assignments() -> None:
             user = user_model.objects.get(username=username)
         except user_model.DoesNotExist:
             continue
+        if role_key == ROLE_PLATFORM_OWNER and not any(
+            get_user_role_key(existing_user) == ROLE_PLATFORM_OWNER
+            for existing_user in user_model.objects.all()
+        ):
+            assign_user_role(user, ROLE_PLATFORM_OWNER)
+            continue
         if user.groups.filter(name__in=role_group_names).exists():
             continue
         assign_user_role(user, role_key)
@@ -81,15 +92,15 @@ def get_user_role_key(user) -> str:
     if not getattr(user, 'is_authenticated', False):
         return ROLE_STAFF
     if getattr(user, 'is_superuser', False):
-        return ROLE_SUPER_ADMIN
+        return ROLE_PLATFORM_OWNER
 
     group_names = set(user.groups.values_list('name', flat=True))
-    for role_key in (ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF, ROLE_STAFF):
+    for role_key in (ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF, ROLE_STAFF):
         if ROLE_GROUP_NAMES[role_key] in group_names:
             return role_key
 
     if getattr(user, 'is_staff', False):
-        return ROLE_ADMIN
+        return ROLE_SUPER_ADMIN
     return ROLE_STAFF
 
 
@@ -111,6 +122,7 @@ def template_role_context(user) -> dict[str, object]:
     return {
         'role_key': role_key,
         'role_label': str(ROLE_LABELS[role_key]),
+        'can_manage_product_branding': user_has_capability(user, 'manage_product_branding'),
         'can_manage_users': user_has_capability(user, 'manage_users'),
         'can_access_requests_dashboard': user_has_capability(user, 'access_requests_dashboard'),
         'can_run_intro_session': user_has_capability(user, 'run_intro_session'),