feat(ks,admin): full permissions for superuser

backend/kesaseteli/applications/admin.py

@@ -431,11 +431,23 @@ def get_readonly_fields(self, request, obj=None):
         return super().get_readonly_fields(request, obj)
 
     def has_add_permission(self, request):
-        """Disable adding new applications."""
+        """
+        Disable adding new applications.
+        Only superusers can add new applications.
+        """
+        user = request.user
+        if user.is_superuser:
+            return True
         return False
 
     def has_delete_permission(self, request, obj=None):
-        """Disable deleting applications."""
+        """
+        Disable deleting applications.
+        Only superusers can delete applications.
+        """
+        user = request.user
+        if user.is_superuser:
+            return True
         return False
 
 
@@ -557,11 +569,23 @@ class EmployerApplicationAdmin(admin.ModelAdmin):
     ]
 
     def has_add_permission(self, request):
-        """Disable adding new applications."""
+        """
+        Disable adding new applications.
+        Only superusers can add new applications.
+        """
+        user = request.user
+        if user.is_superuser:
+            return True
         return False
 
     def has_delete_permission(self, request, obj=None):
-        """Disable deleting applications."""
+        """
+        Disable deleting applications.
+        Only superusers can delete applications.
+        """
+        user = request.user
+        if user.is_superuser:
+            return True
         return False
 
     def get_queryset(self, request):
@@ -656,11 +680,23 @@ def get_fieldsets(self, request, obj=None):
         ]
 
     def has_add_permission(self, request):
-        """Disable adding new employer summer vouchers."""
+        """
+        Disable adding new employer summer vouchers.
+        Only superusers can add new employer summer vouchers.
+        """
+        user = request.user
+        if user.is_superuser:
+            return True
         return False
 
     def has_delete_permission(self, request, obj=None):
-        """Disable deleting employer summer vouchers."""
+        """
+        Disable deleting employer summer vouchers.
+        Only superusers can delete employer summer vouchers.
+        """
+        user = request.user
+        if user.is_superuser:
+            return True
         return False
 
     def queryset(self, request):

backend/kesaseteli/applications/tests/test_youth_application_admin_permissions.py

@@ -4,6 +4,7 @@
 from applications.admin import YouthApplicationAdmin
 from applications.models import YouthApplication
 from common.tests.factories import YouthApplicationFactory
+from shared.common.tests.factories import DuplicateAllowingUserFactory
 
 
 @pytest.fixture
@@ -12,8 +13,17 @@ def youth_application_admin():
 
 
 @pytest.mark.django_db
-def test_has_add_permission(youth_application_admin):
-    assert youth_application_admin.has_add_permission(None) is False
+def test_has_add_permission(youth_application_admin, rf):
+    # Just any request will do
+    request = rf.get("/")
+
+    # Test with normal user
+    request.user = DuplicateAllowingUserFactory()
+    assert youth_application_admin.has_add_permission(request) is False
+
+    # Test with superuser
+    request.user = DuplicateAllowingUserFactory(is_superuser=True)
+    assert youth_application_admin.has_add_permission(request) is True
 
 
 @pytest.mark.django_db