[#2023] Implemented Category/Product admin access based on auth.Group

[Bartvaderkin]

task: https://taiga.maykinmedia.nl/project/open-inwoner/task/2023

To make this work create a Group in the admin and assign some Categories. Then assign this Group to a non-superuser, and login as this User.

Then in the Category list view you'll only see this category, and in the Product list view you only see Product from this Category. Additionally in the Product edit view you can only assign Categories from your Groups (there is some logic to keep assigned Categories you're not allowed to manage)..

[codecov-commenter]

Codecov Report

Attention: 17 lines in your changes are missing coverage. Please review.

Comparison is base (c63452b) 94.77% compared to head (fbc6500) 94.74%.
Report is 8 commits behind head on develop.

Files	Patch %	Lines
src/open_inwoner/pdc/admin/category.py	59.25%	11 Missing ⚠️
src/open_inwoner/accounts/forms.py	64.28%	5 Missing ⚠️
src/open_inwoner/accounts/admin.py	93.33%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop     #967      +/-   ##
===========================================
- Coverage    94.77%   94.74%   -0.04%     
===========================================
  Files          861      863       +2     
  Lines        30192    30388     +196     
===========================================
+ Hits         28614    28790     +176     
- Misses        1578     1598      +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pi-sigma]

When I try to edit a category via the CMS without permission, I am redirected to the admin and get the following message:

Onderwerp met ID ‘10’ bestaat niet. Misschien is deze verwijderd?

That's misleading. Perhaps change the message to indicate that the user has no permission.

[pi-sigma]

A group user who is not part of a group with access to category X can still view and change X (or any other category) by assigning the permission pdc | Product | Can change product to themselves.

It would be best to just hide the permission section from the admin for group users (only show it to superusers).

[Bartvaderkin]

@pi-sigma

• Unless I'm missing something you shouldn't be able to navigate (by clicking stuff) to a category or product edit-page you don't have access to, as it won't show up in the list because it is filtered at the get_queryset() level. Which is also why the error message reports not-found instead of bad-permission. It is out of scope to cover this with a custom message.

• I don't think this is an issue? Users with these category restrictions are of lower responsibility and won't have group management because that would create this escalation route.

[stevenbal]

I think we're missing a testcase to verify that a user with managed categories cannot see/edit the access_groups field on the Category change page

[Bartvaderkin]

I added this test (even though it is now readonly)