GRN2-176: Create a role editor that allows admins to specify what permissions each role has (#709)

* Add roles editor * Add colour selection ability to roles * Add ability to assign roles to users in the UI * Remove rolify and replace it with our own custom roles implemenation * - Fix all existing roles functionality - Fix super admins * Fix bugs with new customers not have default roles * Add can't create room setting * Code improvements * Fix migration * Add tests for new methods * Translate reserved role names * Pull roles from saml/ldap * Fix rspec * Fix scrutinizer issues * Fix email promoted/demoted tests * Apply comments * Redirect directly to the main room * Add comments
2019-07-31 11:53:32 -04:00
parent 02b342b157
commit 4fc1714db8
56 changed files with 1713 additions and 328 deletions
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -24,10 +24,25 @@ class Ability
      cannot :manage, AdminsController
    elsif user.has_role? :super_admin
      can :manage, :all
-    elsif user.has_role? :admin
-      can :manage, :all
-    elsif user.has_role? :user
-      cannot :manage, AdminsController
+    else
+      highest_role = user.highest_priority_role
+      if highest_role.can_edit_site_settings
+        can [:index, :site_settings, :server_recordings, :branding, :coloring, :coloring_lighten, :coloring_darken,
+             :room_authentication, :registration_method, :room_limit, :default_recording_visibility], :admin
+      end
+
+      if highest_role.can_edit_roles
+        can [:index, :roles, :new_role, :change_role_order, :update_role, :delete_role], :admin
+      end
+
+      if highest_role.can_manage_users
+        can [:index, :roles, :edit_user, :promote, :demote, :ban_user, :unban_user,
+             :approve, :invite], :admin
+      end
+
+      if !highest_role.can_edit_site_settings && !highest_role.can_edit_roles && !highest_role.can_manage_users
+        cannot :manage, AdminsController
+      end
    end
  end
 end