Use specific, non-admin permission for 2nd level approval queue (#23538)

* Use specific, non-admin permission for 2nd level approval queue

Author: diox

src/olympia/constants/permissions.py

@@ -49,6 +49,8 @@
 ADDONS_TRIAGE_DELAYED = AclPermission('Addons', 'TriageDelayed')
 # Can see add-ons with all due dates in the queue, rather than just upcoming ones
 ADDONS_ALL_DUE_DATES = AclPermission('Addons', 'AllDueDates')
+# Can view/make choices in 2nd level approval queue
+ADDONS_HIGH_IMPACT_APPROVE = AclPermission('Addons', 'HighImpactApprove')
 
 # Can edit all collections.
 COLLECTIONS_EDIT = AclPermission('Collections', 'Edit')

src/olympia/reviewers/tests/test_views.py

@@ -621,7 +621,7 @@ def test_not_a_reviewer(self):
         response = self.client.get(self.url)
         assert response.status_code == 403
 
-    def test_admin_all_permissions(self):
+    def test_super_admin_all_permissions(self):
         # Create a lot of add-ons to test the queue counts.
         user_factory(pk=settings.TASK_USER_ID)
         # Recommended extensions
@@ -679,8 +679,6 @@ def test_admin_all_permissions(self):
         AutoApprovalSummary.objects.create(
             version=addon1.current_version, verdict=amo.AUTO_APPROVED
         )
-        admins_group = Group.objects.create(name='Admins', rules='*:*')
-        GroupUser.objects.create(user=self.user, group=admins_group)
 
         # Pending addon
         addon_factory(name='Pending Addön', status=amo.STATUS_NOMINATED)
@@ -725,10 +723,13 @@ def test_admin_all_permissions(self):
             action=DECISION_ACTIONS.AMO_DISABLE_ADDON, addon=addon1
         )
 
+        admins_group = Group.objects.create(name='Admins', rules='*:*')
+        GroupUser.objects.create(user=self.user, group=admins_group)
+
         response = self.client.get(self.url)
         assert response.status_code == 200
         doc = pq(response.content)
-        assert len(doc('.dashboard h3')) == 7  # All sections are present.
+        assert len(doc('.dashboard h3')) == 8  # All sections are present.
         expected_links = [
             reverse('reviewers.queue_extension'),
             reverse('reviewers.reviewlog'),
@@ -766,7 +767,7 @@ def test_can_see_all_through_reviewer_view_all_permission(self):
         response = self.client.get(self.url)
         assert response.status_code == 200
         doc = pq(response.content)
-        assert len(doc('.dashboard h3')) == 7  # All sections are present.
+        assert len(doc('.dashboard h3')) == 8  # All sections are present.
         expected_links = [
             reverse('reviewers.queue_extension'),
             reverse('reviewers.reviewlog'),
@@ -7957,9 +7958,10 @@ def setUp(self):
             name='Approve',
             enforcement_actions=[DECISION_ACTIONS.AMO_APPROVE.api_value],
         )
-        # CinderJob.objects.create(cinder)
         self.url = reverse('reviewers.decision_review', args=(self.decision.id,))
-        self.login_as_admin()
+        self.user = user_factory()
+        self.grant_permission(self.user, 'Addons:HighImpactApprove')
+        self.client.force_login(self.user)
 
     def _test_review_page_addon(self):
         response = self.client.get(self.url)
@@ -8123,7 +8125,7 @@ def test_approve_user_instead(self):
         self.assertCloseToNow(override.action_date)
         assert override.override_of == self.decision
 
-    def test_non_admin_cannot_access(self):
+    def test_non_second_level_approver_cannot_access(self):
         self.login_as_reviewer()
         response = self.client.get(self.url)
         assert response.status_code == 403

src/olympia/reviewers/views.py

@@ -271,6 +271,11 @@ def dashboard(request):
                 ),
                 reverse('reviewers.queue_pending_rejection'),
             ),
+        ]
+    if view_all or acl.action_allowed_for(
+        request.user, amo.permissions.ADDONS_HIGH_IMPACT_APPROVE
+    ):
+        sections['2nd Level Approval'] = [
             (
                 'Held Decisions for 2nd Level Approval ({0})'.format(
                     queue_counts['queue_decisions']
@@ -1265,7 +1270,7 @@ def queue_decisions(request, tab):
     )
 
 
-@permission_or_tools_listed_view_required(amo.permissions.REVIEWS_ADMIN)
+@permission_or_tools_listed_view_required(amo.permissions.ADDONS_HIGH_IMPACT_APPROVE)
 def decision_review(request, decision_id):
     decision = get_object_or_404(ContentDecision, pk=decision_id)
     form = HeldDecisionReviewForm(