GRN2-176: Create a role editor that allows admins to specify what permissions each role has (#709)

* Add roles editor

* Add colour selection ability to roles

* Add ability to assign roles to users in the UI

* Remove rolify and replace it with our own custom roles implemenation

* - Fix all existing roles functionality
- Fix super admins

* Fix bugs with new customers not have default roles

* Add can't create room setting

* Code improvements

* Fix migration

* Add tests for new methods

* Translate reserved role names

* Pull roles from saml/ldap

* Fix rspec

* Fix scrutinizer issues

* Fix email promoted/demoted tests

* Apply comments

* Redirect directly to the main room

* Add comments

app/controllers/users_controller.rb

@@ -144,12 +144,14 @@ class UsersController < ApplicationController
         errors.each { |k, v| @user.errors.add(k, v) }
         render :edit, params: { settings: params[:settings] }
       end
-    elsif user_params[:email] != @user.email && @user.update_attributes(user_params)
+    elsif user_params[:email] != @user.email && @user.update_attributes(user_params) && update_roles
       @user.update_attributes(email_verified: false)
+
       flash[:success] = I18n.t("info_update_success")
       redirect_to redirect_path
-    elsif @user.update_attributes(user_params)
+    elsif @user.update_attributes(user_params) && update_roles
       update_locale(@user)
+
       flash[:success] = I18n.t("info_update_success")
       redirect_to redirect_path
     else
@@ -255,4 +257,65 @@ class UsersController < ApplicationController
 
     invitation[:present]
   end
+
+  # Updates as user's roles
+  def update_roles
+    # Check that the user can edit roles
+    if current_user.highest_priority_role.can_edit_roles
+      new_roles = params[:user][:role_ids].split(' ').map(&:to_i)
+      old_roles = @user.roles.pluck(:id)
+
+      added_role_ids = new_roles - old_roles
+      removed_role_ids = old_roles - new_roles
+
+      added_roles = []
+      removed_roles = []
+      current_user_role = current_user.highest_priority_role
+
+      # Check that the user has the permissions to add all the new roles
+      added_role_ids.each do |id|
+        role = Role.find(id)
+
+        # Admins are able to add the admin role to other users. All other roles may only
+        # add roles with a higher priority
+        if (role.priority > current_user_role.priority || current_user_role.name == "admin") &&
+           role.provider == @user_domain
+          added_roles << role
+        else
+          flash[:alert] = I18n.t("administrator.roles.invalid_assignment")
+          return false
+        end
+      end
+
+      # Check that the user has the permissions to remove all the deleted roles
+      removed_role_ids.each do |id|
+        role = Role.find(id)
+
+        # Admins are able to remove the admin role from other users. All other roles may only
+        # remove roles with a higher priority
+        if (role.priority > current_user_role.priority || current_user_role.name == "admin") &&
+           role.provider == @user_domain
+          removed_roles << role
+        else
+          flash[:alert] = I18n.t("administrator.roles.invalid_removal")
+          return false
+        end
+      end
+
+      # Send promoted/demoted emails
+      added_roles.each { |role| send_user_promoted_email(@user, role.name) if role.send_promoted_email }
+      removed_roles.each { |role| send_user_demoted_email(@user, role.name) if role.send_demoted_email }
+
+      # Update the roles
+      @user.roles.delete(removed_roles)
+      @user.roles << added_roles
+
+      # Make sure each user always has at least the user role
+      @user.roles = [Role.find_by(name: "user", provider: @user_domain)] if @user.roles.count.zero?
+
+      @user.save!
+    else
+      true
+    end
+  end
 end