From b02b2235895b3d880293bb18c4dfb43595d237b0 Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Mon, 8 May 2023 12:11:59 -0400
Subject: [PATCH 1/5] WIP: make mobile app available to viewers

---
 engine/apps/api/views/user.py                 |  6 +++---
 .../MobileAppConnection.tsx                   | 21 +++++++------------
 .../containers/UserSettings/UserSettings.tsx  |  3 +--
 .../parts/connectors/MobileAppConnector.tsx   | 10 +++------
 4 files changed, 15 insertions(+), 25 deletions(-)

diff --git a/engine/apps/api/views/user.py b/engine/apps/api/views/user.py
index 2b0a997c63..32fd5d2adf 100644
--- a/engine/apps/api/views/user.py
+++ b/engine/apps/api/views/user.py
@@ -146,14 +146,14 @@ class UserView(
         "verify_number": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
         "forget_number": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
         "get_verification_code": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
-        "get_backend_verification_code": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
+        "get_backend_verification_code": [RBACPermission.Permissions.USER_SETTINGS_READ],
         "get_telegram_verification_code": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
         "unlink_slack": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
         "unlink_telegram": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
-        "unlink_backend": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
+        "unlink_backend": [RBACPermission.Permissions.USER_SETTINGS_READ],
         "make_test_call": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
         "export_token": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
-        "upcoming_shifts": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
+        "upcoming_shifts": [RBACPermission.Permissions.USER_SETTINGS_READ],
     }
 
     rbac_object_permissions = {
diff --git a/grafana-plugin/src/containers/MobileAppConnection/MobileAppConnection.tsx b/grafana-plugin/src/containers/MobileAppConnection/MobileAppConnection.tsx
index 4fa269b439..f5ed8ca09e 100644
--- a/grafana-plugin/src/containers/MobileAppConnection/MobileAppConnection.tsx
+++ b/grafana-plugin/src/containers/MobileAppConnection/MobileAppConnection.tsx
@@ -184,19 +184,14 @@ const MobileAppConnection = observer(({ userPk }: Props) => {
   }
 
   return (
-    <WithPermissionControlDisplay
-      userAction={UserActions.UserSettingsWrite}
-      message="You do not have permission to perform this action. Ask an admin to upgrade your permissions."
-    >
-      <div className={cx('container')}>
-        <Block shadowed bordered withBackground className={cx('container__box')}>
-          <DownloadIcons />
-        </Block>
-        <Block shadowed bordered withBackground className={cx('container__box')}>
-          {content}
-        </Block>
-      </div>
-    </WithPermissionControlDisplay>
+    <div className={cx('container')}>
+      <Block shadowed bordered withBackground className={cx('container__box')}>
+        <DownloadIcons />
+      </Block>
+      <Block shadowed bordered withBackground className={cx('container__box')}>
+        {content}
+      </Block>
+    </div>
   );
 
   function getParsedQRCodeValue() {
diff --git a/grafana-plugin/src/containers/UserSettings/UserSettings.tsx b/grafana-plugin/src/containers/UserSettings/UserSettings.tsx
index 2ee2d34bf1..55d162cabe 100644
--- a/grafana-plugin/src/containers/UserSettings/UserSettings.tsx
+++ b/grafana-plugin/src/containers/UserSettings/UserSettings.tsx
@@ -9,7 +9,6 @@ import { Tabs, TabsContent } from 'containers/UserSettings/parts';
 import { User as UserType } from 'models/user/user.types';
 import { AppFeature } from 'state/features';
 import { useStore } from 'state/useStore';
-import { isUserActionAllowed, UserActions } from 'utils/authorization';
 import { BREAKPOINT_TABS } from 'utils/consts';
 
 import { UserSettingsTab } from './UserSettings.types';
@@ -53,7 +52,7 @@ const UserSettings = observer(({ id, onHide, tab = UserSettingsTab.UserInfo }: U
     !isDesktopOrLaptop,
     isCurrent && teamStore.currentTeam?.slack_team_identity && !storeUser.slack_user_identity,
     isCurrent && store.hasFeature(AppFeature.Telegram) && !storeUser.telegram_configuration,
-    isCurrent && isUserActionAllowed(UserActions.UserSettingsWrite),
+    isCurrent,
   ];
 
   return (
diff --git a/grafana-plugin/src/containers/UserSettings/parts/connectors/MobileAppConnector.tsx b/grafana-plugin/src/containers/UserSettings/parts/connectors/MobileAppConnector.tsx
index 5fe16b591d..9d036526a8 100644
--- a/grafana-plugin/src/containers/UserSettings/parts/connectors/MobileAppConnector.tsx
+++ b/grafana-plugin/src/containers/UserSettings/parts/connectors/MobileAppConnector.tsx
@@ -4,8 +4,6 @@ import { Button, Label } from '@grafana/ui';
 import cn from 'classnames/bind';
 
 import { UserSettingsTab } from 'containers/UserSettings/UserSettings.types';
-import { WithPermissionControlTooltip } from 'containers/WithPermissionControl/WithPermissionControlTooltip';
-import { UserActions } from 'utils/authorization';
 
 import styles from './index.module.css';
 
@@ -26,11 +24,9 @@ const MobileAppConnector = (props: MobileAppConnectorProps) => {
     <div className={cx('user-item')}>
       <Label>Mobile App:</Label>
       <div>
-        <WithPermissionControlTooltip userAction={UserActions.UserSettingsWrite}>
-          <Button size="sm" fill="text" onClick={handleClickConfirmMobileAppButton}>
-            Click to add a mobile app
-          </Button>
-        </WithPermissionControlTooltip>
+        <Button size="sm" fill="text" onClick={handleClickConfirmMobileAppButton}>
+          Click to add a mobile app
+        </Button>
       </div>
     </div>
   );

From 833ab90ac7bafaec46603bb2335a6e02bfa9feb6 Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Mon, 8 May 2023 12:13:45 -0400
Subject: [PATCH 2/5] update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3e8c5d7ea0..409aa30be3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Improve ical comparison when checking for imported ical updates ([1870](https://github.com/grafana/oncall/pull/1870))
 - Upgrade to Python 3.11.3 by @joeyorlando ([#1849](https://github.com/grafana/oncall/pull/1849))
+- Users with the Viewer basic role can now connect and use the mobile app ([#1892](https://github.com/grafana/oncall/pull/1892))
 
 ### Fixed
 

From 071a644a15f13c858a136c57645a29c7e5a4c471 Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Tue, 16 May 2023 11:20:52 -0400
Subject: [PATCH 3/5] update changelog

---
 CHANGELOG.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2d23073b81..3d4485ce38 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Added
+
+- Users with the Viewer basic role can now connect and use the mobile app ([#1892](https://github.com/grafana/oncall/pull/1892))
+
 ## v1.2.23 (2023-05-15)
 
 ### Added
@@ -38,7 +44,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Improve ical comparison when checking for imported ical updates ([1870](https://github.com/grafana/oncall/pull/1870))
 - Upgrade to Python 3.11.3 by @joeyorlando ([#1849](https://github.com/grafana/oncall/pull/1849))
-- Users with the Viewer basic role can now connect and use the mobile app ([#1892](https://github.com/grafana/oncall/pull/1892))
 
 ### Fixed
 

From b23647e7d5a88dd42a4a3e6f19c55134e21cd3bd Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Tue, 16 May 2023 11:41:25 -0400
Subject: [PATCH 4/5] update tests

---
 engine/apps/api/tests/test_user.py | 28 +---------------------------
 1 file changed, 1 insertion(+), 27 deletions(-)

diff --git a/engine/apps/api/tests/test_user.py b/engine/apps/api/tests/test_user.py
index 1d4aa1b762..c859adbb5b 100644
--- a/engine/apps/api/tests/test_user.py
+++ b/engine/apps/api/tests/test_user.py
@@ -1134,7 +1134,7 @@ def test_user_cant_unlink_slack_another_user(
 
 
 @pytest.mark.django_db
-def test_user_cant_unlink_backend__another_user(
+def test_user_cant_unlink_backend_another_user(
     make_organization_and_user_with_plugin_token, make_user_for_organization, make_user_auth_headers
 ):
     organization, first_user, token = make_organization_and_user_with_plugin_token(role=LegacyAccessControlRole.EDITOR)
@@ -1408,22 +1408,6 @@ def test_forget_other_number(
         assert response.json()["verified_phone_number"] == initial_verified_number
 
 
-@pytest.mark.django_db
-def test_viewer_cant_get_own_backend_verification_code(
-    make_organization_and_user_with_plugin_token, make_user_auth_headers
-):
-    _, user, token = make_organization_and_user_with_plugin_token(role=LegacyAccessControlRole.VIEWER)
-
-    client = APIClient()
-    url = (
-        reverse("api-internal:user-get-backend-verification-code", kwargs={"pk": user.public_primary_key})
-        + "?backend=TESTONLY"
-    )
-
-    response = client.get(f"{url}", format="json", **make_user_auth_headers(user, token))
-    assert response.status_code == status.HTTP_403_FORBIDDEN
-
-
 @pytest.mark.django_db
 def test_viewer_cant_get_another_user_backend_verification_code(
     make_organization_and_user_with_plugin_token, make_user_for_organization, make_user_auth_headers
@@ -1441,16 +1425,6 @@ def test_viewer_cant_get_another_user_backend_verification_code(
     assert response.status_code == status.HTTP_403_FORBIDDEN
 
 
-@pytest.mark.django_db
-def test_viewer_cant_unlink_backend_own_user(make_organization_and_user_with_plugin_token, make_user_auth_headers):
-    _, user, token = make_organization_and_user_with_plugin_token(role=LegacyAccessControlRole.VIEWER)
-    client = APIClient()
-    url = reverse("api-internal:user-unlink-backend", kwargs={"pk": user.public_primary_key}) + "?backend=TESTONLY"
-
-    response = client.post(f"{url}", format="json", **make_user_auth_headers(user, token))
-    assert response.status_code == status.HTTP_403_FORBIDDEN
-
-
 @pytest.mark.django_db
 def test_viewer_cant_unlink_backend_another_user(
     make_organization_and_user_with_plugin_token, make_user_for_organization, make_user_auth_headers

From e1f34e88f81e264fef2ed7b4fca6473fd38ff7e5 Mon Sep 17 00:00:00 2001
From: Joey Orlando <joseph.t.orlando@gmail.com>
Date: Tue, 13 Jun 2023 20:39:26 +0200
Subject: [PATCH 5/5] make send_test_push endpoint available to viewers

---
 engine/apps/api/views/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/engine/apps/api/views/user.py b/engine/apps/api/views/user.py
index 7871cd5a8e..2c5588ab48 100644
--- a/engine/apps/api/views/user.py
+++ b/engine/apps/api/views/user.py
@@ -168,7 +168,7 @@ class UserView(
         "unlink_telegram": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
         "unlink_backend": [RBACPermission.Permissions.USER_SETTINGS_READ],
         "make_test_call": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
-        "send_test_push": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
+        "send_test_push": [RBACPermission.Permissions.USER_SETTINGS_READ],
         "send_test_sms": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
         "export_token": [RBACPermission.Permissions.USER_SETTINGS_WRITE],
         "upcoming_shifts": [RBACPermission.Permissions.USER_SETTINGS_READ],