Merge pull request #2537 from alphagov/split-out-edit-user-role-page-…

…from-user-email-page Add separate page for editing another user's role
alphagov · Nov 22, 2023 · 35a01cf · 35a01cf
2 parents b788dff + 1633d09
commit 35a01cf
Show file tree

Hide file tree

Showing 11 changed files with 391 additions and 60 deletions.
diff --git a/app/controllers/users/roles_controller.rb b/app/controllers/users/roles_controller.rb
@@ -0,0 +1,38 @@
+class Users::RolesController < ApplicationController
+  layout "admin_layout"
+
+  before_action :authenticate_user!
+  before_action :load_user
+  before_action :authorize_user
+  before_action :redirect_to_account_page_if_acting_on_own_user, only: %i[edit]
+
+  def edit; end
+
+  def update
+    updater = UserUpdate.new(@user, user_params, current_user, user_ip_address)
+    if updater.call
+      redirect_to edit_user_path(@user), notice: "Updated user #{@user.email} successfully"
+    else
+      render :edit
+    end
+  end
+
+private
+
+  def load_user
+    @user = User.find(params[:user_id])
+  end
+
+  def authorize_user
+    authorize(@user)
+    authorize(@user, :assign_role?)
+  end
+
+  def user_params
+    params.require(:user).permit(*current_user.permitted_params.intersection([:role]))
+  end
+
+  def redirect_to_account_page_if_acting_on_own_user
+    redirect_to edit_account_role_path if current_user == @user
+  end
+end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -112,7 +112,7 @@ def user_params
   end
 
   def permitted_user_params
-    @permitted_user_params ||= params.require(:user).permit(:user, :email, :organisation_id, :require_2sv, :role, :skip_update_user_permissions, supported_permission_ids: []).to_h
+    @permitted_user_params ||= params.require(:user).permit(:user, :organisation_id, :require_2sv, :skip_update_user_permissions, supported_permission_ids: []).to_h
   end
 
   def filter_params

diff --git a/app/helpers/users_helper.rb b/app/helpers/users_helper.rb
@@ -92,4 +92,16 @@ def formatted_permission_name(application_name, permission_name)
       permission_name
     end
   end
+
+  def user_role_select_hint
+    render "govuk_publishing_components/components/list", {
+      visible_counters: true,
+      items: [
+        "<strong>Superadmins</strong> can create and edit all user types and edit applications.",
+        "<strong>Admins</strong> can create and edit normal users.",
+        "<strong>Super Organisation Admins</strong> can unlock and unsuspend their organisation and related organisation accounts.",
+        "<strong>Organisation Admins</strong> can unlock and unsuspend their organisation accounts.",
+      ],
+    }
+  end
 end
diff --git a/app/views/devise/invitations/new.html.erb b/app/views/devise/invitations/new.html.erb
@@ -60,23 +60,11 @@
       } %>
 
       <% if policy(User).assign_role? %>
-        <% role_hint = capture do %>
-          <%= render "govuk_publishing_components/components/list", {
-            visible_counters: true,
-            items: [
-              "<strong>Superadmins</strong> can create and edit all user types and edit applications.",
-              "<strong>Admins</strong> can create and edit normal users.",
-              "<strong>Super Organisation Admins</strong> can unlock and unsuspend their organisation and related organisation accounts.",
-              "<strong>Organisation Admins</strong> can unlock and unsuspend their organisation accounts.",
-            ]
-          } %>
-        <% end %>
-
         <%= render "govuk_publishing_components/components/select", {
           id: "user_role",
           name: "user[role]",
           label: "Role",
-          hint: role_hint,
+          hint: user_role_select_hint,
           options: options_for_role_select(selected: f.object.role),
         } %>
       <% end %>

diff --git a/app/views/users/_form_fields.html.erb b/app/views/users/_form_fields.html.erb
@@ -12,22 +12,14 @@
   <% end %>
 </p>
 
-<% if policy(User).assign_role? %>
-  <% if @user.exempt_from_2sv? %>
-    <p>This user's role is set to <%= @user.role %>. They are currently exempted from 2-step verification, meaning that their role cannot be changed as admins are required to have 2-step verification.</p>
-  <% else %>
-    <p class="form-group">
-      <%= f.label :role %><br />
-      <%= f.select :role, options_for_select(assignable_user_roles.map(&:humanize).zip(assignable_user_roles), f.object.role), {}, class: "chosen-select form-control", 'data-module' => 'chosen' %>
-      <span class="help-block">
-        <strong>Superadmins</strong> can create and edit all user types and edit applications.<br />
-        <strong>Admins</strong> can create and edit normal users.<br />
-        <strong>Super Organisation Admins</strong> can unlock and unsuspend their organisation and related organisation accounts.<br />
-        <strong>Organisation Admins</strong> can unlock and unsuspend their organisation accounts.
-      </span>
-    </p>
+<p>
+  <strong>Role:</strong> <%= @user.role.humanize %>
+  <% if policy(User).assign_role? %>
+    <%= link_to edit_user_role_path(@user) do %>
+      Change<span class="invisible"> role</span>
+    <% end %>
   <% end %>
-<% end %>
+</p>
 
 <% if policy(@user).mandate_2sv? %>
   <dl>

diff --git a/app/views/users/roles/edit.html.erb b/app/views/users/roles/edit.html.erb
@@ -0,0 +1,66 @@
+<% content_for :title_caption, "Manage other users" %>
+<% content_for :title, "Change role for #{@user.name}" %>
+
+<% content_for :breadcrumbs,
+   render("govuk_publishing_components/components/breadcrumbs", {
+     collapse_on_mobile: true,
+     breadcrumbs: [
+       {
+         title: "Dashboard",
+         url: root_path,
+       },
+       {
+         title: "Users",
+         url: users_path,
+       },
+       {
+         title: @user.name,
+         url: edit_user_path(@user),
+       },
+       {
+         title: "Change role",
+       }
+     ]
+   })
+%>
+
+<% if @user.errors.count > 0 %>
+  <% content_for :error_summary do %>
+    <%= render "govuk_publishing_components/components/error_summary", {
+      title: "There is a problem",
+      items: @user.errors.map do |error|
+        {
+          text: error.full_message,
+          href: "#user_#{error.attribute}",
+        }
+      end,
+    } %>
+  <% end %>
+<% end %>
+
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-two-thirds">
+    <%= form_for @user, url: user_role_path(@user) do %>
+      <% if @user.exempt_from_2sv? %>
+        <%= render "govuk_publishing_components/components/inset_text", {
+          text: "This user's role is set to #{@user.role.humanize}. They are currently exempted from 2-step verification, meaning that their role cannot be changed as admins are required to have 2-step verification.",
+        } %>
+      <% else %>
+        <%= render "govuk_publishing_components/components/select", {
+          id: "user_role",
+          name: "user[role]",
+          label: "Role",
+          hint: user_role_select_hint,
+          options: current_user.manageable_roles.map { |role| { text: role.humanize, value: role, selected: @user.role == role } },
+          error_message: @user.errors[:role].any? ? @user.errors.full_messages_for(:role).to_sentence : nil
+        } %>
+        <div class="govuk-button-group">
+          <%= render "govuk_publishing_components/components/button", {
+            text: "Change role",
+          } %>
+          <%= link_to "Cancel", edit_user_path(@user), class: "govuk-link govuk-link--no-visited-state" %>
+        </div>
+      <% end %>
+    <% end %>
+  </div>
+</div>
diff --git a/config/routes.rb b/config/routes.rb
@@ -48,6 +48,7 @@
       put :resend_email_change
       delete :cancel_email_change
     end
+    resource :role, only: %i[edit update], controller: "users/roles"
   end
   get "user", to: "oauth_users#show"