From 9c06ef5c17b9ff4df048f966dcb50f4f52fdd051 Mon Sep 17 00:00:00 2001
From: Ali Nawaz <alinawaz2000@hotmail.com>
Date: Wed, 29 Mar 2023 08:02:25 +0500
Subject: [PATCH] chore: log the user triggering the retirement flow chore:
 change user retirement permissions to allow support staff

---
 lms/djangoapps/bulk_user_retirement/views.py    |  2 ++
 .../user_api/accounts/tests/test_permissions.py | 17 +++++++++++++++++
 openedx/core/djangoapps/user_api/rules.py       |  3 ++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/lms/djangoapps/bulk_user_retirement/views.py b/lms/djangoapps/bulk_user_retirement/views.py
index a19cdbbea1..14775ac322 100644
--- a/lms/djangoapps/bulk_user_retirement/views.py
+++ b/lms/djangoapps/bulk_user_retirement/views.py
@@ -57,6 +57,8 @@ class BulkUsersRetirementView(APIView):
                 user_to_retire = User.objects.get(username=username)
                 with transaction.atomic():
                     create_retirement_request_and_deactivate_account(user_to_retire)
+                log.info(f'The user "{username}" has been added to the retirement pipeline \
+                         by "{request.user}"')
 
             except User.DoesNotExist:
                 log.exception(f'The user "{username}" does not exist.')
diff --git a/openedx/core/djangoapps/user_api/accounts/tests/test_permissions.py b/openedx/core/djangoapps/user_api/accounts/tests/test_permissions.py
index d02f1f4459..017255b74d 100644
--- a/openedx/core/djangoapps/user_api/accounts/tests/test_permissions.py
+++ b/openedx/core/djangoapps/user_api/accounts/tests/test_permissions.py
@@ -78,6 +78,23 @@ class CanRetireUserTest(TestCase):
         result = CanRetireUser().has_permission(self.request, None)
         assert not result
 
+    def test_api_permission_staff_without_permission(self):
+        self.request.user = AdminFactory()
+        result = CanRetireUser().has_permission(self.request, None)
+        assert not result
+
+    def test_api_permission_staff_granted_permission(self):
+        self.request.user = AdminFactory()
+        permission = PermissionFactory(
+            codename='add_userretirementrequest',
+            content_type=ContentTypeFactory(
+                app_label='user_api'
+            )
+        )
+        self.request.user.user_permissions.add(permission)
+        result = CanRetireUser().has_permission(self.request, None)
+        assert result
+
 
 class CanCancelUserRetirementTest(TestCase):
     """ Tests for cancel user retirement API permissions """
diff --git a/openedx/core/djangoapps/user_api/rules.py b/openedx/core/djangoapps/user_api/rules.py
index f39410827e..034ae27381 100644
--- a/openedx/core/djangoapps/user_api/rules.py
+++ b/openedx/core/djangoapps/user_api/rules.py
@@ -14,7 +14,8 @@ def can_retire_user(user):
     """
     return (
         user.username == settings.RETIREMENT_SERVICE_WORKER_USERNAME or
-        user.is_superuser
+        user.is_superuser or
+        (user.is_staff and user.has_perm('user_api.add_userretirementrequest'))
     )
 
 rules.add_perm('accounts.can_retire_user', can_retire_user)