#2729: Update Add a Domain Manager page - [ES]

src/registrar/templates/domain_add_user.html

@@ -4,10 +4,23 @@
 {% block title %}Add a domain manager | {% endblock %}
 
 {% block domain_content %}
+  {% block breadcrumb %}
+    {% url 'domain-users' pk=domain.id as url %}
+    <nav class="usa-breadcrumb padding-top-0" aria-label="Domain manager breadcrumb">
+      <ol class="usa-breadcrumb__list">
+        <li class="usa-breadcrumb__list-item">
+          <a href="{{ url }}" class="usa-breadcrumb__link"><span>Domain managers</span></a>
+        </li>
+        <li class="usa-breadcrumb__list-item usa-current" aria-current="page">
+          <span>Add a domain manager</span>
+        </li>
+      </ol>
+    </nav>
+  {% endblock breadcrumb %}
   <h1>Add a domain manager</h1>
 
-  <p>You can add another user to help manage your domain. They will need to sign
-  in to the .gov registrar with their Login.gov account.
+  <p>You can add another user to help manage your domain. If they aren't an organization member they will 
+    need to sign in to the .gov registrar with their Login.gov account.
   </p>
 
   <form class="usa-form usa-form--large" method="post" novalidate>

src/registrar/utility/errors.py

@@ -23,6 +23,15 @@ class InvalidDomainError(ValueError):
     pass
 
 
+class OutsideOrgMemberError(ValueError):
+    """
+    Error raised when an org member tries adding a user from a different .gov org.
+    To be deleted when users can be members of multiple orgs.
+    """
+
+    pass
+
+
 class ActionNotAllowed(Exception):
     """User accessed an action that is not
     allowed by the current state"""

src/registrar/views/domain.py

@@ -21,8 +21,10 @@
     DomainRequest,
     DomainInformation,
     DomainInvitation,
+    PortfolioInvitation,
     User,
     UserDomainRole,
+    UserPortfolioPermission,
     PublicContact,
 )
 from registrar.utility.enums import DefaultEmail
@@ -35,9 +37,11 @@
     DsDataErrorCodes,
     SecurityEmailError,
     SecurityEmailErrorCodes,
+    OutsideOrgMemberError,
 )
 from registrar.models.utility.contact_error import ContactError
 from registrar.views.utility.permission_views import UserDomainRolePermissionDeleteView
+from registrar.utility.waffle import flag_is_active_for_user
 
 from ..forms import (
     SeniorOfficialContactForm,
@@ -778,7 +782,18 @@ def _domain_abs_url(self):
         """Get an absolute URL for this domain."""
         return self.request.build_absolute_uri(reverse("domain", kwargs={"pk": self.object.id}))
 
-    def _send_domain_invitation_email(self, email: str, requestor: User, add_success=True):
+    def _is_member_of_different_org(self, email, requestor, requested_user):
+        """Verifies if an email belongs to a different organization as a member or invited member."""
+        # Check if user is a already member of a different organization than the requestor's org
+        requestor_org = UserPortfolioPermission.objects.get(user=requestor).portfolio
+        existing_org_permission = UserPortfolioPermission.objects.filter(user=requested_user).first()
+        existing_org_invitation = PortfolioInvitation.objects.filter(email=email).first()
+
+        return (existing_org_permission and existing_org_permission.portfolio != requestor_org) or (
+            existing_org_invitation and existing_org_invitation.portfolio != requestor_org
+        )
+
+    def _send_domain_invitation_email(self, email: str, requestor: User, requested_user=None, add_success=True):
         """Performs the sending of the domain invitation email,
         does not make a domain information object
         email: string- email to send to
@@ -803,6 +818,17 @@ def _send_domain_invitation_email(self, email: str, requestor: User, add_success
             )
             return None
 
+        # Check is user is a member or invited member of a different org from this domain's org
+        if flag_is_active_for_user(requestor, "organization_feature") and self._is_member_of_different_org(
+            email, requestor, requested_user
+        ):
+            add_success = False
+            messages.error(
+                self.request,
+                "That email is already a member of another .gov organization.",
+            )
+            raise OutsideOrgMemberError
+
         # Check to see if an invite has already been sent
         try:
             invite = DomainInvitation.objects.get(email=email, domain=self.object)
@@ -831,6 +857,8 @@ def _send_domain_invitation_email(self, email: str, requestor: User, add_success
                     "requestor_email": requestor_email,
                 },
             )
+            if add_success:
+                messages.success(self.request, f"{email} has been invited to this domain.")
         except EmailSendingError as exc:
             logger.warn(
                 "Could not sent email invitation to %s for domain %s",
@@ -839,9 +867,6 @@ def _send_domain_invitation_email(self, email: str, requestor: User, add_success
                 exc_info=True,
             )
             raise EmailSendingError("Could not send email invitation.") from exc
-        else:
-            if add_success:
-                messages.success(self.request, f"{email} has been invited to this domain.")
 
     def _make_invitation(self, email_address: str, requestor: User):
         """Make a Domain invitation for this email and redirect with a message."""
@@ -868,32 +893,40 @@ def form_valid(self, form):
         else:
             # if user already exists then just send an email
             try:
-                self._send_domain_invitation_email(requested_email, requestor, add_success=False)
+                self._send_domain_invitation_email(
+                    requested_email, requestor, requested_user=requested_user, add_success=False
+                )
             except EmailSendingError:
                 logger.warn(
                     "Could not send email invitation (EmailSendingError)",
                     self.object,
                     exc_info=True,
                 )
                 messages.warning(self.request, "Could not send email invitation.")
+            except OutsideOrgMemberError:
+                logger.warn(
+                    "Could not send email. Can not invite member of a .gov organization to a different organization.",
+                    self.object,
+                    exc_info=True,
+                )
             except Exception:
                 logger.warn(
                     "Could not send email invitation (Other Exception)",
                     self.object,
                     exc_info=True,
                 )
                 messages.warning(self.request, "Could not send email invitation.")
-
-        try:
-            UserDomainRole.objects.create(
-                user=requested_user,
-                domain=self.object,
-                role=UserDomainRole.Roles.MANAGER,
-            )
-        except IntegrityError:
-            messages.warning(self.request, f"{requested_email} is already a manager for this domain")
-        else:
-            messages.success(self.request, f"Added user {requested_email}.")
+            else:
+                try:
+                    UserDomainRole.objects.create(
+                        user=requested_user,
+                        domain=self.object,
+                        role=UserDomainRole.Roles.MANAGER,
+                    )
+                except IntegrityError:
+                    messages.warning(self.request, f"{requested_email} is already a manager for this domain")
+                else:
+                    messages.success(self.request, f"Added user {requested_email}.")
         return redirect(self.get_success_url())