Add Django admin form to allow Helpdesk to update UEI/EIN

[LynnMHouston]

Summary

This adds a Django admin form so Helpdesk (or superusers) can update the UEI/EIN on a SingleAuditChecklist when needed.

• The form shows current UEI/EIN values and lets you edit them.
• It’s only added to the SingleAuditChecklist admin view and doesn’t affect any other models.
• It overrides save_model() so the changes get tagged as an admin-override and logged in both SubmissionEvent and History.

This change is scoped to this one override feature only.

You should see a SubmissionEvent and History record if the change is saved properly.

---

Why We Need It

We’re currently sitting on a number of potential UEI/EIN corrections that go beyond the existing manual process. This allows Helpdesk to resolve those directly, without needing to escalate to Engineering. It’s only exposed to Helpdesk and superusers, and it logs an audit trail for transparency.

PR Checklist: Submitter

• Link to an issue if possible. If there’s no issue, describe what your branch does. Even if there is an issue, a brief description in the PR is still useful.
• List any special steps reviewers have to follow to test the PR. For example, adding a local environment variable, creating a local test file, etc.
• For extra credit, submit a screen recording like this one.
• Make sure you’ve merged main into your branch shortly before creating the PR. (You should also be merging main into your branch regularly during development.)
• Make sure you’ve accounted for any migrations. When you’re about to create the PR, bring up the application locally and then run git status | grep migrations. If there are any results, you probably need to add them to the branch for the PR. Your PR should have only one new migration file for each of the component apps, except in rare circumstances; you may need to delete some and re-run python manage.py makemigrations to reduce the number to one. (Also, unless in exceptional circumstances, your PR should not delete any migration files.)
• Make sure that whatever feature you’re adding has tests that cover the feature. This includes test coverage to make sure that the previous workflow still works, if applicable.
• Make sure the full-submission.cy.js Cypress test passes, if applicable.
• Do manual testing locally. Our tests are not good enough yet to allow us to skip this step. If that’s not applicable for some reason, check this box.
• Verify that no Git surgery was necessary, or, if it was necessary at any point, repeat the testing after it’s finished.
• Once a PR is merged, keep an eye on it until it’s deployed to dev, and do enough testing on dev to verify that it deployed successfully, the feature works as expected, and the happy path for the broad feature area (such as submission) still works.
• Ensure that prior to merging, the working branch is up to date with main and the terraform plan is what you expect.

PR Checklist: Reviewer

• Pull the branch to your local environment and run make docker-clean; make docker-first-run && docker compose up; then run docker compose exec web /bin/bash -c "python manage.py test"
• Manually test out the changes locally, or check this box to verify that it wasn’t applicable in this case.
• Check that the PR has appropriate tests. Look out for changes in HTML/JS/JSON Schema logic that may need to be captured in Python tests even though the logic isn’t in Python.
• Verify that no Git surgery is necessary at any point (such as during a merge party), or, if it was, repeat the testing after it’s finished.

The larger the PR, the stricter we should be about these points.

Pre Merge Checklist: Merger

• Ensure that prior to approving, the terraform plan is what we expect it to be. -/+ resource "null_resource" "cors_header" should be destroying and recreating its self and ~ resource "cloudfoundry_app" "clamav_api" might be updating its sha256 for the fac-file-scanner and fac-av-${ENV} by default.
• Ensure that the branch is up to date with main.
• Ensure that a terraform plan has been recently generated for the pull request.

[github-actions]

Terraform plan for meta

No changes. Your infrastructure matches the configuration.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

📝 Plan generated in Pull Request Checks #169

[github-actions]

Terraform plan for dev

Plan: 6 to add, 10 to change, 6 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # module.dev.cloudfoundry_network_policy.app-network-policy will be updated in-place
!~  resource "cloudfoundry_network_policy" "app-network-policy" {
!~      policies = [
!~          {
!~              destination_app = "830bfc16-6865-4644-a3f3-5a1a69d6ec5f" -> (known after apply)
#                (3 unchanged attributes hidden)
            },
!~          {
!~              destination_app = "8a7aac9b-d5ba-4321-a947-adfa18a42bfa" -> (known after apply)
#                (3 unchanged attributes hidden)
            },
!~          {
!~              destination_app = "830bfc16-6865-4644-a3f3-5a1a69d6ec5f" -> (known after apply)
#                (3 unchanged attributes hidden)
            },
        ]
    }

  # module.dev.cloudfoundry_network_policy.clamav-network-policy will be updated in-place
!~  resource "cloudfoundry_network_policy" "clamav-network-policy" {
!~      policies = [
!~          {
!~              destination_app = "8a7aac9b-d5ba-4321-a947-adfa18a42bfa" -> (known after apply)
!~              source_app      = "830bfc16-6865-4644-a3f3-5a1a69d6ec5f" -> (known after apply)
#                (2 unchanged attributes hidden)
            },
!~          {
!~              destination_app = "8a7aac9b-d5ba-4321-a947-adfa18a42bfa" -> (known after apply)
!~              source_app      = "d9fa2027-96c9-4f98-bdb8-13809c6f569a" -> (known after apply)
#                (2 unchanged attributes hidden)
            },
        ]
    }

  # module.dev.cloudfoundry_network_policy.logshipper-network-policy will be updated in-place
!~  resource "cloudfoundry_network_policy" "logshipper-network-policy" {
!~      policies = [
!~          {
!~              destination_app = "8a7aac9b-d5ba-4321-a947-adfa18a42bfa" -> (known after apply)
!~              source_app      = "92483ac7-d368-43b0-b429-0170e3e2b2c2" -> (known after apply)
#                (2 unchanged attributes hidden)
            },
        ]
    }

  # module.dev.cloudfoundry_network_policy.scanner-network-policy will be updated in-place
!~  resource "cloudfoundry_network_policy" "scanner-network-policy" {
!~      policies = [
!~          {
!~              destination_app = "8a7aac9b-d5ba-4321-a947-adfa18a42bfa" -> (known after apply)
!~              source_app      = "a0669f56-c5a5-4c35-85bf-5b6201478ad5" -> (known after apply)
#                (2 unchanged attributes hidden)
            },
!~          {
!~              destination_app = "d9fa2027-96c9-4f98-bdb8-13809c6f569a" -> (known after apply)
!~              source_app      = "a0669f56-c5a5-4c35-85bf-5b6201478ad5" -> (known after apply)
#                (2 unchanged attributes hidden)
            },
        ]
    }

  # module.dev.module.cg-logshipper.cloudfoundry_app.logshipper_app will be updated in-place
!~  resource "cloudfoundry_app" "logshipper_app" {
!~      created_at                  = "2025-04-21T18:47:16Z" -> (known after apply)
!~      enable_ssh                  = false -> (known after apply)
!~      id                          = "************************************" -> (known after apply)
!~      log_rate_limit_per_second   = "-1" -> (known after apply)
        name                        = "logshipper"
!~      readiness_health_check_type = "process" -> (known after apply)
!~      routes                      = [
-           {
-               protocol = "http1" -> null
-               route    = "fac-dev-logshipper.app.cloud.gov" -> null
            },
        ] -> (known after apply)
!~      source_code_hash            = "adb965edbd40cfe6e31aa5a6d9dc2a1ab27fc8954f787fefebb9fac9e2f1c9e2" -> "f95cf383ea3d0b14111c608a076adfd3a338a57cdbc7b830b16d2f6155529715"
!~      stack                       = "cflinuxfs4" -> (known after apply)
!~      updated_at                  = "2025-08-22T19:05:14Z" -> (known after apply)
#        (12 unchanged attributes hidden)
    }

  # module.dev.module.cg-logshipper.cloudfoundry_route.logshipper_route will be updated in-place
!~  resource "cloudfoundry_route" "logshipper_route" {
!~      destinations = [
-           {
-               app_id           = "92483ac7-d368-43b0-b429-0170e3e2b2c2" -> null
-               app_process_type = "web" -> null
-               id               = "cb430c0b-be04-428f-b94f-0af6d42d100b" -> null
-               port             = 8080 -> null
-               protocol         = "http1" -> null
            },
+           {
+               app_id           = (known after apply)
+               app_process_type = (known after apply)
+               id               = (known after apply)
+               port             = (known after apply)
+               protocol         = (known after apply)
            },
        ]
        id           = "3aec8f3f-c16b-4528-bc10-021921a7c5c6"
!~      updated_at   = "2025-04-21T18:49:17Z" -> (known after apply)
#        (6 unchanged attributes hidden)
    }

  # module.dev.module.clamav.cloudfoundry_app.clamav_api must be replaced
-/+ resource "cloudfoundry_app" "clamav_api" {
+       buildpacks                      = (known after apply)
!~      created_at                      = "2025-08-12T17:37:02Z" -> (known after apply)
!~      docker_image                    = "ghcr.io/gsa-tts/fac/clamav@sha256:f0b490065d736a7c4151744e04683760418fe7a43ba9e14102b162305d94966a" -> "ghcr.io/gsa-tts/fac/clamav@sha256:3c7acdf614fba2604a5aaf4a015c803a02a6bb79cd68f1636577557a0a9384bf"
!~      enable_ssh                      = false -> (known after apply)
!~      health_check_type               = "port" -> (known after apply)
!~      id                              = "************************************" -> (known after apply)
!~      log_rate_limit_per_second       = "-1" -> (known after apply)
        name                            = "fac-av-dev"
!~      readiness_health_check_type     = "process" -> (known after apply)
!~      routes                          = [
-           {
-               protocol = "http1" -> null
-               route    = "fac-av-dev.apps.internal" -> null
            },
        ] -> (known after apply)
+       service_bindings                = (known after apply) # forces replacement
!~      stack                           = null -> (known after apply)
!~      updated_at                      = "2025-08-12T17:37:09Z" -> (known after apply)
#        (8 unchanged attributes hidden)
    }

  # module.dev.module.cors.null_resource.cors_header must be replaced
-/+ resource "null_resource" "cors_header" {
!~      id       = "*******************" -> (known after apply)
!~      triggers = { # forces replacement
!~          "always_run" = "2025-08-22T18:58:30Z" -> (known after apply)
        }
    }

  # module.dev.module.fac-file-scanner.data.cloudfoundry_domain.internal will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "cloudfoundry_domain" "internal" {
+       annotations         = (known after apply)
+       created_at          = (known after apply)
+       id                  = (known after apply)
+       internal            = (known after apply)
+       labels              = (known after apply)
+       name                = "apps.internal"
+       org                 = (known after apply)
+       router_group        = (known after apply)
+       shared_orgs         = (known after apply)
+       supported_protocols = (known after apply)
+       updated_at          = (known after apply)
    }

  # module.dev.module.fac-file-scanner.data.external.scannerzip will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "external" "scannerzip" {
+       id          = (known after apply)
+       program     = [
+           "/bin/sh",
+           "prepare-scanner.sh",
        ]
+       query       = {
+           "gitref" = "refs/heads/main"
        }
+       result      = (known after apply)
+       working_dir = "../shared/modules/scanner"
    }

  # module.dev.module.fac-file-scanner.cloudfoundry_app.scanner_app will be updated in-place
!~  resource "cloudfoundry_app" "scanner_app" {
!~      created_at                  = "2025-04-21T18:53:54Z" -> (known after apply)
!~      enable_ssh                  = false -> (known after apply)
!~      id                          = "************************************" -> (known after apply)
!~      log_rate_limit_per_second   = "-1" -> (known after apply)
        name                        = "fac-file-scanner"
!~      path                        = "../shared/modules/scanner/scanner.zip" -> (known after apply)
!~      readiness_health_check_type = "process" -> (known after apply)
!~      routes                      = [
-           {
-               protocol = "http1" -> null
-               route    = "fac-file-scanner-dev.apps.internal" -> null
            },
        ] -> (known after apply)
!~      source_code_hash            = "ded718cecee8f31a86dc4d7ec55a1f7d04e168bad29fd3aaa337fda8ce3c575d" -> (known after apply)
!~      stack                       = "cflinuxfs4" -> (known after apply)
!~      updated_at                  = "2025-08-12T17:39:09Z" -> (known after apply)
#        (11 unchanged attributes hidden)
    }

  # module.dev.module.fac-file-scanner.cloudfoundry_route.scanner_route must be replaced
-/+ resource "cloudfoundry_route" "scanner_route" {
!~      created_at   = "2025-08-22T18:59:03Z" -> (known after apply)
!~      destinations = [
-           {
-               app_id           = "a0669f56-c5a5-4c35-85bf-5b6201478ad5" -> null
-               app_process_type = "web" -> null
-               id               = "8113b713-dba0-4ad6-aa15-1d3cfb354d37" -> null
-               port             = 8080 -> null
-               protocol         = "http1" -> null
            },
+           {
+               app_id           = (known after apply)
+               app_process_type = (known after apply)
+               id               = (known after apply)
+               port             = (known after apply)
+               protocol         = (known after apply)
            },
        ]
!~      domain       = "26df58ef-0c0d-4997-b68b-8defb7b3998b" -> (known after apply) # forces replacement
!~      id           = "************************************" -> (known after apply)
!~      protocol     = "http" -> (known after apply)
!~      updated_at   = "2025-08-22T18:59:03Z" -> (known after apply)
!~      url          = "fac-file-scanner-dev.apps.internal" -> (known after apply)
#        (2 unchanged attributes hidden)
    }

  # module.dev.module.file_scanner_clamav.cloudfoundry_app.clamav_api must be replaced
-/+ resource "cloudfoundry_app" "clamav_api" {
+       buildpacks                      = (known after apply)
!~      created_at                      = "2025-08-12T17:39:11Z" -> (known after apply)
!~      docker_image                    = "ghcr.io/gsa-tts/fac/clamav@sha256:f0b490065d736a7c4151744e04683760418fe7a43ba9e14102b162305d94966a" -> "ghcr.io/gsa-tts/fac/clamav@sha256:3c7acdf614fba2604a5aaf4a015c803a02a6bb79cd68f1636577557a0a9384bf"
!~      enable_ssh                      = false -> (known after apply)
!~      health_check_type               = "port" -> (known after apply)
!~      id                              = "************************************" -> (known after apply)
!~      log_rate_limit_per_second       = "-1" -> (known after apply)
        name                            = "fac-av-dev-fs"
!~      readiness_health_check_type     = "process" -> (known after apply)
!~      routes                          = [
-           {
-               protocol = "http1" -> null
-               route    = "fac-av-dev-fs.apps.internal" -> null
            },
        ] -> (known after apply)
+       service_bindings                = (known after apply) # forces replacement
!~      stack                           = null -> (known after apply)
!~      updated_at                      = "2025-08-12T17:39:17Z" -> (known after apply)
#        (8 unchanged attributes hidden)
    }

  # module.dev.module.https-proxy.cloudfoundry_app.egress_app must be replaced
-/+ resource "cloudfoundry_app" "egress_app" {
!~      created_at                  = "2025-08-22T18:58:42Z" -> (known after apply)
!~      disk_quota                  = "2048M" -> (known after apply)
!~      enable_ssh                  = false -> (known after apply)
!~      health_check_type           = "port" -> (known after apply)
!~      id                          = "************************************" -> (known after apply)
!~      log_rate_limit_per_second   = "-1" -> (known after apply)
        name                        = "https-proxy"
!~      readiness_health_check_type = "process" -> (known after apply)
!~      routes                      = [
-           {
-               protocol = "http1" -> null
-               route    = "gsa-tts-oros-fac-dev-egress-https-proxy.apps.internal" -> null
            },
        ] -> (known after apply)
+       service_bindings            = (known after apply) # forces replacement
!~      source_code_hash            = "9f9625544eba6b73c600173bd2a2a380d2f756ad82014fe70f55454c2b14a1c0" -> "2b6290297493a04793de94e6e62ba1483b63db68ccf1bc704507d06c6403c64e"
!~      stack                       = "cflinuxfs4" -> (known after apply)
!~      updated_at                  = "2025-08-22T19:05:06Z" -> (known after apply)
#        (9 unchanged attributes hidden)
    }

  # module.dev.module.https-proxy.cloudfoundry_route.egress_route will be updated in-place
!~  resource "cloudfoundry_route" "egress_route" {
!~      destinations = [
-           {
-               app_id           = "8a7aac9b-d5ba-4321-a947-adfa18a42bfa" -> null
-               app_process_type = "web" -> null
-               id               = "8cbf00c3-bd49-4418-add5-e87b40a18577" -> null
-               port             = 8080 -> null
-               protocol         = "http1" -> null
            },
+           {
+               app_id           = (known after apply)
+               app_process_type = (known after apply)
+               id               = (known after apply)
+               port             = (known after apply)
+               protocol         = (known after apply)
            },
        ]
        id           = "13dc80b5-4d3b-4181-b7c1-b6dc8d5a0e65"
!~      updated_at   = "2025-08-22T18:59:02Z" -> (known after apply)
#        (6 unchanged attributes hidden)
    }

  # module.dev.module.clamav.module.route.cloudfoundry_route.app_route will be updated in-place
!~  resource "cloudfoundry_route" "app_route" {
!~      destinations = [
-           {
-               app_id           = "830bfc16-6865-4644-a3f3-5a1a69d6ec5f" -> null
-               app_process_type = "web" -> null
-               id               = "e72b846c-1652-4ba8-ab3e-03ed29621a63" -> null
-               port             = 8080 -> null
-               protocol         = "http1" -> null
            },
+           {
+               app_id           = (known after apply)
+               app_process_type = (known after apply)
+               id               = (known after apply)
+               port             = (known after apply)
+               protocol         = (known after apply)
            },
        ]
        id           = "877bbc1f-e036-4a96-b7a3-70cff8c35c3c"
!~      updated_at   = "2025-08-12T17:37:10Z" -> (known after apply)
#        (6 unchanged attributes hidden)
    }

  # module.dev.module.fac-file-scanner.module.quarantine.data.cloudfoundry_service_plans.s3 will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "cloudfoundry_service_plans" "s3" {
+       name                  = "basic"
+       service_offering_name = "s3"
+       service_plans         = (known after apply)
    }

  # module.dev.module.fac-file-scanner.module.quarantine.cloudfoundry_service_instance.bucket will be updated in-place
!~  resource "cloudfoundry_service_instance" "bucket" {
+       dashboard_url     = (known after apply)
        id                = "c435cb9c-32a7-4a31-828b-48c8c6f3bf37"
!~      last_operation    = {
!~          created_at  = "2025-03-14T14:22:42Z" -> (known after apply)
+           description = (known after apply)
!~          state       = "succeeded" -> (known after apply)
!~          type        = "update" -> (known after apply)
!~          updated_at  = "2025-03-14T14:22:42Z" -> (known after apply)
        } -> (known after apply)
!~      maintenance_info  = {
+           description = (known after apply)
+           version     = (known after apply)
        } -> (known after apply)
        name              = "fac-file-scanner-quarantine"
!~      service_plan      = "021bb2a3-7e11-4fc2-b06b-d9f5938cd806" -> (known after apply)
        tags              = [
            "s3",
            "terraform-cloudgov-managed",
        ]
!~      updated_at        = "2025-03-14T14:22:42Z" -> (known after apply)
!~      upgrade_available = false -> (known after apply)
#        (3 unchanged attributes hidden)
    }

  # module.dev.module.file_scanner_clamav.module.route.data.cloudfoundry_domain.domain will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "cloudfoundry_domain" "domain" {
+       annotations         = (known after apply)
+       created_at          = (known after apply)
+       id                  = (known after apply)
+       internal            = (known after apply)
+       labels              = (known after apply)
+       name                = "apps.internal"
+       org                 = (known after apply)
+       router_group        = (known after apply)
+       shared_orgs         = (known after apply)
+       supported_protocols = (known after apply)
+       updated_at          = (known after apply)
    }

  # module.dev.module.file_scanner_clamav.module.route.data.cloudfoundry_org.org will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "cloudfoundry_org" "org" {
+       annotations = (known after apply)
+       created_at  = (known after apply)
+       id          = (known after apply)
+       labels      = (known after apply)
+       name        = "gsa-tts-oros-fac"
+       quota       = (known after apply)
+       suspended   = (known after apply)
+       updated_at  = (known after apply)
    }

  # module.dev.module.file_scanner_clamav.module.route.data.cloudfoundry_space.space will be read during apply
  # (config refers to values not yet known)
 <= data "cloudfoundry_space" "space" {
+       allow_ssh         = (known after apply)
+       annotations       = (known after apply)
+       created_at        = (known after apply)
+       id                = (known after apply)
+       isolation_segment = (known after apply)
+       labels            = (known after apply)
+       name              = "dev"
+       org               = (known after apply)
+       quota             = (known after apply)
+       updated_at        = (known after apply)
    }

  # module.dev.module.file_scanner_clamav.module.route.cloudfoundry_route.app_route must be replaced
-/+ resource "cloudfoundry_route" "app_route" {
!~      created_at   = "2025-08-22T18:59:03Z" -> (known after apply)
!~      destinations = [
-           {
-               app_id           = "d9fa2027-96c9-4f98-bdb8-13809c6f569a" -> null
-               app_process_type = "web" -> null
-               id               = "ca09f24f-42c2-4f01-b2ce-d9dcec58286d" -> null
-               port             = 8080 -> null
-               protocol         = "http1" -> null
            },
+           {
+               app_id           = (known after apply)
+               app_process_type = (known after apply)
+               id               = (known after apply)
+               port             = (known after apply)
+               protocol         = (known after apply)
            },
        ]
!~      domain       = "26df58ef-0c0d-4997-b68b-8defb7b3998b" -> (known after apply) # forces replacement
!~      id           = "************************************" -> (known after apply)
!~      protocol     = "http" -> (known after apply)
!~      space        = "06525ba3-19c2-451b-96e9-ea4a9134e8b9" -> (known after apply) # forces replacement
!~      updated_at   = "2025-08-22T18:59:03Z" -> (known after apply)
!~      url          = "fac-av-dev-fs.apps.internal" -> (known after apply)
#        (1 unchanged attribute hidden)
    }

Plan: 6 to add, 10 to change, 6 to destroy.

📝 Plan generated in Pull Request Checks #169

[github-actions]

Package	Line Rate	Branch Rate	Health
.	100%	100%	✔
api	98%	86%	✔
api.serializers	97%	88%	✔
api.views	91%	100%	➖
audit	95%	80%	✔
audit.cross_validation	97%	86%	✔
audit.fixtures	84%	50%	❌
audit.formlib	36%	0%	❌
audit.intakelib	89%	83%	➖
audit.intakelib.checks	92%	85%	➖
audit.intakelib.common	98%	82%	✔
audit.intakelib.transforms	100%	95%	✔
audit.management.commands	78%	17%	❌
audit.migrations	100%	100%	✔
audit.models	91%	68%	➖
audit.templatetags	100%	100%	✔
audit.views	72%	49%	❌
census_historical_migration	96%	65%	✔
census_historical_migration.migrations	100%	100%	✔
census_historical_migration.sac_general_lib	92%	84%	➖
census_historical_migration.transforms	95%	90%	✔
census_historical_migration.workbooklib	68%	69%	❌
config	78%	37%	❌
curation	98%	100%	✔
curation.curationlib	88%	72%	➖
curation.migrations	100%	100%	✔
dissemination	89%	69%	➖
dissemination.analytics	27%	0%	❌
dissemination.forms	80%	30%	❌
dissemination.migrations	97%	25%	✔
dissemination.models	100%	100%	✔
dissemination.report_generation	21%	0%	❌
dissemination.report_generation.excel	32%	0%	❌
dissemination.searchlib	61%	44%	❌
dissemination.templatetags	48%	0%	❌
dissemination.views	67%	44%	❌
djangooidc	53%	38%	❌
djangooidc.tests	100%	94%	✔
report_submission	100%	96%	✔
report_submission.migrations	100%	100%	✔
report_submission.templatetags	74%	100%	❌
report_submission.views	78%	61%	❌
support	94%	75%	➖
support.migrations	100%	100%	✔
support.models	90%	50%	➖
tools	98%	50%	✔
users	95%	86%	✔
users.fixtures	100%	83%	✔
users.management	100%	100%	✔
users.management.commands	100%	100%	✔
users.migrations	100%	100%	✔
Summary	88% (21784 / 24674)	69% (2662 / 3882)	➖