GRN2-176: Create a role editor that allows admins to specify what permissions each role has (#709)

* Add roles editor

* Add colour selection ability to roles

* Add ability to assign roles to users in the UI

* Remove rolify and replace it with our own custom roles implemenation

* - Fix all existing roles functionality
- Fix super admins

* Fix bugs with new customers not have default roles

* Add can't create room setting

* Code improvements

* Fix migration

* Add tests for new methods

* Translate reserved role names

* Pull roles from saml/ldap

* Fix rspec

* Fix scrutinizer issues

* Fix email promoted/demoted tests

* Apply comments

* Redirect directly to the main room

* Add comments

app/controllers/admins_controller.rb

@@ -36,7 +36,8 @@ class AdminsController < ApplicationController
     @search = params[:search] || ""
     @order_column = params[:column] && params[:direction] != "none" ? params[:column] : "created_at"
     @order_direction = params[:direction] && params[:direction] != "none" ? params[:direction] : "DESC"
-    @role = params[:role] || ""
+
+    @role = params[:role] ? Role.find_by(name: params[:role], provider: @user_domain) : nil
 
     @pagy, @users = pagy(user_list)
   end
@@ -64,24 +65,6 @@ class AdminsController < ApplicationController
   def edit_user
   end
 
-  # POST /admins/promote/:user_uid
-  def promote
-    @user.add_role :admin
-
-    send_user_promoted_email(@user)
-
-    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.promoted") }
-  end
-
-  # POST /admins/demote/:user_uid
-  def demote
-    @user.remove_role :admin
-
-    send_user_demoted_email(@user)
-
-    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.demoted") }
-  end
-
   # POST /admins/ban/:user_uid
   def ban_user
     @user.roles = []
@@ -185,6 +168,158 @@ class AdminsController < ApplicationController
     }
   end
 
+  # ROLES
+
+  # GET /admins/roles
+  def roles
+    @roles = Role.editable_roles(@user_domain)
+
+    if @roles.count.zero?
+      Role.create_default_roles(@user_domain)
+      @roles = Role.editable_roles(@user_domain)
+    end
+
+    @selected_role = if params[:selected_role].nil?
+                        @roles.find_by(name: 'user')
+                      else
+                        @roles.find(params[:selected_role])
+                     end
+  end
+
+  # POST /admin/role
+  # This method creates a new role scope to the users provider
+  def new_role
+    new_role_name = params[:role][:name]
+
+    # Make sure that the role name isn't a duplicate or a reserved name like super_admin
+    if Role.duplicate_name(new_role_name, @user_domain)
+      flash[:alert] = I18n.t("administrator.roles.duplicate_name")
+
+      return redirect_to admin_roles_path
+    end
+
+    # Make sure the role name isn't empty
+    if new_role_name.strip.empty?
+      flash[:alert] = I18n.t("administrator.roles.empty_name")
+
+      return redirect_to admin_roles_path
+    end
+
+    # Create the new role with the second highest priority
+    # This means that it will only be more important than the user role
+    # This also updates the user role to have the highest priority
+    new_role = Role.create(name: new_role_name, provider: @user_domain)
+    user_role = Role.find_by(name: 'user', provider: @user_domain)
+
+    new_role.priority = user_role.priority
+    user_role.priority += 1
+
+    new_role.save!
+    user_role.save!
+
+    redirect_to admin_roles_path(selected_role: new_role.id)
+  end
+
+  # PATCH /admin/roles/order
+  # This updates the priority of a site's roles
+  # Note: A lower priority role will always get used before a higher priority one
+  def change_role_order
+    user_role = Role.find_by(name: "user", provider: @user_domain)
+    admin_role = Role.find_by(name: "admin", provider: @user_domain)
+
+    current_user_role = current_user.highest_priority_role
+
+    # Users aren't allowed to update the priority of the admin or user roles
+    if params[:role].include?(user_role.id.to_s) || params[:role].include?(admin_role.id.to_s)
+      flash[:alert] = I18n.t("administrator.roles.invalid_order")
+
+      return redirect_to admin_roles_path
+    end
+
+    # Restrict users to only updating the priority for roles in their domain with a higher
+    # priority
+    params[:role].each do |id|
+      role = Role.find(id)
+      if role.priority <= current_user_role.priority || role.provider != @user_domain
+        flash[:alert] = I18n.t("administrator.roles.invalid_update")
+        return redirect_to admin_roles_path
+      end
+    end
+
+    # Update the roles priority including the user role
+    top_priority = 0
+
+    params[:role].each_with_index do |id, index|
+      new_priority = index + [current_user_role.priority, 0].max + 1
+      top_priority = new_priority
+      Role.where(id: id).update_all(priority: new_priority)
+    end
+
+    user_role.priority = top_priority + 1
+    user_role.save!
+  end
+
+  # POST /admin/role/:role_id
+  # This method updates the permissions assigned to a role
+  def update_role
+    role = Role.find(params[:role_id])
+    current_user_role = current_user.highest_priority_role
+
+    # Checks that it is valid for the provider to update the role
+    if role.priority <= current_user_role.priority || role.provider != @user_domain
+      flash[:alert] = I18n.t("administrator.roles.invalid_update")
+      return redirect_to admin_roles_path(selected_role: role.id)
+    end
+
+    role_params = params.require(:role).permit(:name)
+    permission_params = params.require(:role)
+                              .permit(
+                                :can_create_rooms,
+                                :send_promoted_email,
+                                :send_demoted_email,
+                                :can_edit_site_settings,
+                                :can_edit_roles,
+                                :can_manage_users,
+                                :colour
+                              )
+
+    # Make sure if the user is updating the role name that the role name is valid
+    if role.name != role_params[:name] && !Role.duplicate_name(role_params[:name], @user_domain) &&
+       !role_params[:name].strip.empty?
+      role.name = role_params[:name]
+    elsif role.name != role_params[:name]
+      flash[:alert] = I18n.t("administrator.roles.duplicate_name")
+
+      return redirect_to admin_roles_path(selected_role: role.id)
+    end
+
+    role.update(permission_params)
+
+    role.save!
+
+    redirect_to admin_roles_path(selected_role: role.id)
+  end
+
+  # DELETE admins/role/:role_id
+  # This deletes a role
+  def delete_role
+    role = Role.find(params[:role_id])
+
+    # Make sure no users are assigned to the role and the role isn't a reserved role
+    # before deleting
+    if role.users.count.positive?
+      flash[:alert] = I18n.t("administrator.roles.role_has_users", user_count: role.users.count)
+      return redirect_to admin_roles_path(selected_role: role.id)
+    elsif Role::RESERVED_ROLE_NAMES.include?(role) || role.provider != @user_domain ||
+          role.priority <= current_user.highest_priority_role.priority
+      return redirect_to admin_roles_path(selected_role: role.id)
+    else
+      role.delete
+    end
+
+    redirect_to admin_roles_path
+  end
+
   private
 
   def find_user
@@ -202,10 +337,10 @@ class AdminsController < ApplicationController
 
   # Gets the list of users based on your configuration
   def user_list
-    initial_list = if current_user.has_cached_role? :super_admin
-      User.where.not(id: current_user.id).includes(:roles)
+    initial_list = if current_user.has_role? :super_admin
+      User.where.not(id: current_user.id)
     else
-      User.without_role(:super_admin).where.not(id: current_user.id).includes(:roles)
+      User.without_role(:super_admin).where.not(id: current_user.id)
     end
 
     if Rails.configuration.loadbalanced_configuration

app/controllers/application_controller.rb

@@ -137,7 +137,7 @@ class ApplicationController < ActionController::Base
 
   # Checks to make sure that the admin has changed his password from the default
   def check_admin_password
-    if current_user&.has_cached_role?(:admin) && current_user&.greenlight_account? &&
+    if current_user&.has_role?(:admin) && current_user&.greenlight_account? &&
        current_user&.authenticate(Rails.configuration.admin_password_default)
 
       flash.now[:alert] = I18n.t("default_admin",
@@ -185,10 +185,10 @@ class ApplicationController < ActionController::Base
 
   # Checks if the user is banned and logs him out if he is
   def check_user_role
-    if current_user&.has_cached_role? :denied
+    if current_user&.has_role? :denied
       session.delete(:user_id)
       redirect_to root_path, flash: { alert: I18n.t("registration.banned.fail") }
-    elsif current_user&.has_cached_role? :pending
+    elsif current_user&.has_role? :pending
       session.delete(:user_id)
       redirect_to root_path, flash: { alert: I18n.t("registration.approval.fail") }
     end

app/controllers/concerns/emailer.rb

@@ -35,16 +35,16 @@ module Emailer
     UserMailer.password_reset(@user, reset_link, logo_image, user_color).deliver_now
   end
 
-  def send_user_promoted_email(user)
+  def send_user_promoted_email(user, role)
     return unless Rails.configuration.enable_email_verification
 
-    UserMailer.user_promoted(user, root_url, logo_image, user_color).deliver_now
+    UserMailer.user_promoted(user, role, root_url, logo_image, user_color).deliver_now
   end
 
-  def send_user_demoted_email(user)
+  def send_user_demoted_email(user, role)
     return unless Rails.configuration.enable_email_verification
 
-    UserMailer.user_demoted(user, root_url, logo_image, user_color).deliver_now
+    UserMailer.user_demoted(user, role, root_url, logo_image, user_color).deliver_now
   end
 
   # Sends inivitation to join
@@ -87,7 +87,7 @@ module Emailer
   end
 
   def admin_emails
-    admins = User.with_role(:admin)
+    admins = User.all_users_with_roles.where(roles: { can_manage_users: true })
 
     if Rails.configuration.loadbalanced_configuration
       admins = admins.without_role(:super_admin)

app/controllers/recordings_controller.rb

@@ -52,8 +52,8 @@ class RecordingsController < ApplicationController
   def verify_room_ownership
     if !current_user ||
        !@room.owned_by?(current_user) ||
-       !current_user.has_cached_role?(:admin) ||
-       !current_user.has_cached_role?(:super_admin)
+       !current_user.has_role?(:admin) ||
+       !current_user.has_role?(:super_admin)
       redirect_to root_path
     end
   end

app/controllers/rooms_controller.rb

@@ -24,8 +24,8 @@ class RoomsController < ApplicationController
   before_action :validate_accepted_terms, unless: -> { !Rails.configuration.terms }
   before_action :validate_verified_email, except: [:show, :join],
                 unless: -> { !Rails.configuration.enable_email_verification }
-  before_action :find_room, except: :create
-  before_action :verify_room_ownership, except: [:create, :show, :join, :logout, :login]
+  before_action :find_room, except: [:create, :join_specific_room]
+  before_action :verify_room_ownership, except: [:create, :show, :join, :logout, :login, :join_specific_room]
   before_action :verify_room_owner_verified, only: [:show, :join],
                 unless: -> { !Rails.configuration.enable_email_verification }
   before_action :verify_user_not_admin, only: [:show]
@@ -60,11 +60,14 @@ class RoomsController < ApplicationController
     @anyone_can_start = JSON.parse(@room[:room_settings])["anyoneCanStart"]
 
     if current_user && @room.owned_by?(current_user)
-      @search, @order_column, @order_direction, recs =
-        recordings(@room.bbb_id, @user_domain, params.permit(:search, :column, :direction), true)
-
-      @pagy, @recordings = pagy_array(recs)
+      if current_user.highest_priority_role.can_create_rooms
+        @search, @order_column, @order_direction, recs =
+          recordings(@room.bbb_id, @user_domain, params.permit(:search, :column, :direction), true)
 
+        @pagy, @recordings = pagy_array(recs)
+      else
+        render :cant_create_rooms
+      end
     else
       # Get users name
       @name = if current_user
@@ -138,6 +141,21 @@ class RoomsController < ApplicationController
     redirect_to current_user.main_room
   end
 
+  # POST room/join
+  def join_specific_room
+    room_uid = params[:join_room][:url].split('/').last
+
+    begin
+      @room = Room.find_by(uid: room_uid)
+    rescue ActiveRecord::RecordNotFound
+      return redirect_to current_user.main_room, alert: I18n.t("room.no_room.invalid_room_uid")
+    end
+
+    return redirect_to current_user.main_room, alert: I18n.t("room.no_room.invalid_room_uid") if @room.nil?
+
+    redirect_to room_path(@room)
+  end
+
   # POST /:room_uid/start
   def start
     # Join the user in and start the meeting.
@@ -275,7 +293,7 @@ class RoomsController < ApplicationController
   end
 
   def verify_user_not_admin
-    redirect_to admins_path if current_user && current_user&.has_cached_role?(:super_admin)
+    redirect_to admins_path if current_user && current_user&.has_role?(:super_admin)
   end
 
   def auth_required
@@ -288,7 +306,7 @@ class RoomsController < ApplicationController
 
     # Does not apply to admin
     # 15+ option is used as unlimited
-    return false if current_user&.has_cached_role?(:admin) || limit == 15
+    return false if current_user&.has_role?(:admin) || limit == 15
 
     current_user.rooms.count >= limit
   end

app/controllers/users_controller.rb

@@ -144,12 +144,14 @@ class UsersController < ApplicationController
         errors.each { |k, v| @user.errors.add(k, v) }
         render :edit, params: { settings: params[:settings] }
       end
-    elsif user_params[:email] != @user.email && @user.update_attributes(user_params)
+    elsif user_params[:email] != @user.email && @user.update_attributes(user_params) && update_roles
       @user.update_attributes(email_verified: false)
+
       flash[:success] = I18n.t("info_update_success")
       redirect_to redirect_path
-    elsif @user.update_attributes(user_params)
+    elsif @user.update_attributes(user_params) && update_roles
       update_locale(@user)
+
       flash[:success] = I18n.t("info_update_success")
       redirect_to redirect_path
     else
@@ -255,4 +257,65 @@ class UsersController < ApplicationController
 
     invitation[:present]
   end
+
+  # Updates as user's roles
+  def update_roles
+    # Check that the user can edit roles
+    if current_user.highest_priority_role.can_edit_roles
+      new_roles = params[:user][:role_ids].split(' ').map(&:to_i)
+      old_roles = @user.roles.pluck(:id)
+
+      added_role_ids = new_roles - old_roles
+      removed_role_ids = old_roles - new_roles
+
+      added_roles = []
+      removed_roles = []
+      current_user_role = current_user.highest_priority_role
+
+      # Check that the user has the permissions to add all the new roles
+      added_role_ids.each do |id|
+        role = Role.find(id)
+
+        # Admins are able to add the admin role to other users. All other roles may only
+        # add roles with a higher priority
+        if (role.priority > current_user_role.priority || current_user_role.name == "admin") &&
+           role.provider == @user_domain
+          added_roles << role
+        else
+          flash[:alert] = I18n.t("administrator.roles.invalid_assignment")
+          return false
+        end
+      end
+
+      # Check that the user has the permissions to remove all the deleted roles
+      removed_role_ids.each do |id|
+        role = Role.find(id)
+
+        # Admins are able to remove the admin role from other users. All other roles may only
+        # remove roles with a higher priority
+        if (role.priority > current_user_role.priority || current_user_role.name == "admin") &&
+           role.provider == @user_domain
+          removed_roles << role
+        else
+          flash[:alert] = I18n.t("administrator.roles.invalid_removal")
+          return false
+        end
+      end
+
+      # Send promoted/demoted emails
+      added_roles.each { |role| send_user_promoted_email(@user, role.name) if role.send_promoted_email }
+      removed_roles.each { |role| send_user_demoted_email(@user, role.name) if role.send_demoted_email }
+
+      # Update the roles
+      @user.roles.delete(removed_roles)
+      @user.roles << added_roles
+
+      # Make sure each user always has at least the user role
+      @user.roles = [Role.find_by(name: "user", provider: @user_domain)] if @user.roles.count.zero?
+
+      @user.save!
+    else
+      true
+    end
+  end
 end