fix: allow super admin customer platform apps

2026-04-01 13:30:17 +02:00
parent 13be9bb461
commit 89cc11e41e
3 changed files with 20 additions and 4 deletions
--- a/backend/workflows/app_registry.py
+++ b/backend/workflows/app_registry.py
@@ -212,13 +212,13 @@ DEFAULT_ROLE_VISIBILITY = {
        ROLE_STAFF: False,
    },
    'branding': {
-        ROLE_SUPER_ADMIN: False,
+        ROLE_SUPER_ADMIN: True,
        ROLE_ADMIN: False,
        ROLE_IT_STAFF: False,
        ROLE_STAFF: False,
    },
    'company_config': {
-        ROLE_SUPER_ADMIN: False,
+        ROLE_SUPER_ADMIN: True,
        ROLE_ADMIN: False,
        ROLE_IT_STAFF: False,
        ROLE_STAFF: False,
--- a/backend/workflows/roles.py
+++ b/backend/workflows/roles.py
@@ -33,8 +33,8 @@ ROLE_LABELS = {
 CAPABILITIES = {
    # Platform-only capabilities stay above any customer-company admin role.
    'manage_users': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN},
-    'manage_product_branding': {ROLE_PLATFORM_OWNER},
-    'manage_company_config': {ROLE_PLATFORM_OWNER},
+    'manage_product_branding': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN},
+    'manage_company_config': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN},
    'manage_trial_lifecycle': {ROLE_PLATFORM_OWNER},
    'manage_app_registry': {ROLE_PLATFORM_OWNER},
    'access_requests_dashboard': {ROLE_PLATFORM_OWNER, ROLE_SUPER_ADMIN, ROLE_ADMIN, ROLE_IT_STAFF, ROLE_STAFF},
--- a/backend/workflows/tests/test_app_registry_permissions.py
+++ b/backend/workflows/tests/test_app_registry_permissions.py
@@ -41,6 +41,13 @@ class AppRegistryPermissionTests(TestCase):
        self.assertNotIn('trial_management', self._visible_keys(self.super_admin))
        self.assertNotIn('trial_management', self._visible_keys(self.admin))

+    def test_super_admin_sees_branding_and_company_config_but_not_app_registry(self):
+        keys = self._visible_keys(self.super_admin)
+
+        self.assertIn('branding', keys)
+        self.assertIn('company_config', keys)
+        self.assertNotIn('app_registry', keys)
+
    def test_requests_dashboard_can_be_hidden_from_staff_via_registry(self):
        config = PortalAppConfig.objects.get(key='requests_dashboard')
        config.visible_to_staff = False
@@ -63,3 +70,12 @@ class AppRegistryPermissionTests(TestCase):
        response = self.client.get(reverse('portal_app_registry_page'))

        self.assertEqual(response.status_code, 200)
+
+    def test_super_admin_can_open_branding_and_company_config_pages(self):
+        self.client.force_login(self.super_admin)
+
+        branding_response = self.client.get(reverse('portal_branding_page'))
+        company_response = self.client.get(reverse('portal_company_config_page'))
+
+        self.assertEqual(branding_response.status_code, 200)
+        self.assertEqual(company_response.status_code, 200)