GRN2-176: Create a role editor that allows admins to specify what permissions each role has (#709)

* Add roles editor

* Add colour selection ability to roles

* Add ability to assign roles to users in the UI

* Remove rolify and replace it with our own custom roles implemenation

* - Fix all existing roles functionality
- Fix super admins

* Fix bugs with new customers not have default roles

* Add can't create room setting

* Code improvements

* Fix migration

* Add tests for new methods

* Translate reserved role names

* Pull roles from saml/ldap

* Fix rspec

* Fix scrutinizer issues

* Fix email promoted/demoted tests

* Apply comments

* Redirect directly to the main room

* Add comments

spec/controllers/admins_controller_spec.rb

@@ -22,6 +22,7 @@ describe AdminsController, type: :controller do
   before do
     allow_any_instance_of(ApplicationController).to receive(:set_user_domain).and_return("provider1")
     controller.instance_variable_set(:@user_domain, "provider1")
+
     @user = create(:user, provider: "provider1")
     @admin = create(:user, provider: "provider1")
     @admin.add_role :admin
@@ -58,53 +59,6 @@ describe AdminsController, type: :controller do
       end
     end
 
-    context "POST #promote" do
-      it "promotes a user to admin" do
-        @request.session[:user_id] = @admin.id
-
-        expect(@user.has_role?(:admin)).to eq(false)
-
-        post :promote, params: { user_uid: @user.uid }
-
-        expect(@user.has_role?(:admin)).to eq(true)
-        expect(flash[:success]).to be_present
-        expect(response).to redirect_to(admins_path)
-      end
-
-      it "sends an email to the user being promoted" do
-        @request.session[:user_id] = @admin.id
-
-        params = { user_uid: @user.uid }
-
-        expect { post :promote, params: params }.to change { ActionMailer::Base.deliveries.count }.by(1)
-      end
-    end
-
-    context "POST #demote" do
-      it "demotes an admin to user" do
-        @request.session[:user_id] = @admin.id
-
-        @user.add_role :admin
-        expect(@user.has_role?(:admin)).to eq(true)
-
-        post :demote, params: { user_uid: @user.uid }
-
-        expect(@user.has_role?(:admin)).to eq(false)
-        expect(flash[:success]).to be_present
-        expect(response).to redirect_to(admins_path)
-      end
-
-      it "sends an email to the user being demoted" do
-        @request.session[:user_id] = @admin.id
-
-        @user.add_role :admin
-
-        params = { user_uid: @user.uid }
-
-        expect { post :demote, params: params }.to change { ActionMailer::Base.deliveries.count }.by(1)
-      end
-    end
-
     context "POST #ban" do
       it "bans a user from the application" do
         @request.session[:user_id] = @admin.id
@@ -331,4 +285,239 @@ describe AdminsController, type: :controller do
       end
     end
   end
+
+  describe "Roles" do
+    context "GET #roles" do
+      it "should render the roles editor with the user role selected" do
+        @request.session[:user_id] = @admin.id
+
+        get :roles
+
+        expect(response).to render_template :roles
+        expect(assigns(:roles).count).to eq(2)
+        expect(assigns(:selected_role).name).to eq("user")
+      end
+
+      it "should render the roles editor with the request role selected" do
+        Role.create_default_roles("provider1")
+
+        new_role = Role.create(name: "test", provider: "provider1")
+
+        @request.session[:user_id] = @admin.id
+
+        get :roles, params: { selected_role: new_role.id }
+
+        expect(response).to render_template :roles
+        expect(assigns(:roles).count).to eq(3)
+        expect(assigns(:selected_role).name).to eq(new_role.name)
+      end
+    end
+
+    context "POST #new_role" do
+      before do
+        Role.create_default_roles("provider1")
+      end
+
+      it "should fail with duplicate role name" do
+        @request.session[:user_id] = @admin.id
+
+        post :new_role, params: { role: { name: "admin" } }
+
+        expect(response).to redirect_to admin_roles_path
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.duplicate_name"))
+      end
+
+      it "should fail with empty role name" do
+        @request.session[:user_id] = @admin.id
+
+        post :new_role, params: { role: { name: "    " } }
+
+        expect(response).to redirect_to admin_roles_path
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.empty_name"))
+      end
+
+      it "should create new role and increase user role priority" do
+        @request.session[:user_id] = @admin.id
+
+        post :new_role, params: { role: { name: "test" } }
+
+        new_role = Role.find_by(name: "test", provider: "provider1")
+        user_role = Role.find_by(name: "user", provider: "provider1")
+
+        expect(new_role.priority).to eq(1)
+        expect(user_role.priority).to eq(2)
+        expect(response).to redirect_to admin_roles_path(selected_role: new_role.id)
+      end
+    end
+
+    context "PATCH #change_role_order" do
+      before do
+        Role.create_default_roles("provider1")
+      end
+
+      it "should fail if user attempts to change the order of the admin or user roles" do
+        @request.session[:user_id] = @admin.id
+
+        user_role = Role.find_by(name: "user", provider: "provider1")
+        admin_role = Role.find_by(name: "admin", provider: "provider1")
+
+        patch :change_role_order, params: { role: [user_role.id, admin_role.id] }
+
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.invalid_order"))
+        expect(response).to redirect_to admin_roles_path
+      end
+
+      it "should fail if a user attempts to edit a role with a higher priority than their own" do
+        Role.create(name: "test1", priority: 1, provider: "greenlight")
+        new_role2 = Role.create(name: "test2", priority: 2, provider: "greenlight", can_edit_roles: true)
+        new_role3 = Role.create(name: "test3", priority: 3, provider: "greenlight")
+        user_role = Role.find_by(name: "user", provider: "greenlight")
+
+        user_role.priority = 4
+        user_role.save!
+
+        @user.roles << new_role2
+        @user.save!
+
+        @request.session[:user_id] = @user.id
+
+        patch :change_role_order, params: { role: [new_role3.id, new_role2.id] }
+
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.invalid_update"))
+        expect(response).to redirect_to admin_roles_path
+      end
+
+      it "should fail if a user attempts to edit a role with a higher priority than their own" do
+        Role.create(name: "test1", priority: 1, provider: "greenlight")
+        new_role2 = Role.create(name: "test2", priority: 2, provider: "greenlight", can_edit_roles: true)
+        new_role3 = Role.create(name: "test3", priority: 3, provider: "greenlight")
+        user_role = Role.find_by(name: "user", provider: "greenlight")
+
+        user_role.priority = 4
+        user_role.save!
+
+        @user.roles << new_role2
+        @user.save!
+
+        @request.session[:user_id] = @user.id
+
+        patch :change_role_order, params: { role: [new_role3.id, new_role2.id] }
+
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.invalid_update"))
+        expect(response).to redirect_to admin_roles_path
+      end
+
+      it "should update the role order" do
+        new_role1 = Role.create(name: "test1", priority: 1, provider: "provider1")
+        new_role2 = Role.create(name: "test2", priority: 2, provider: "provider1")
+        new_role3 = Role.create(name: "test3", priority: 3, provider: "provider1")
+        user_role = Role.find_by(name: "user", provider: "provider1")
+
+        @request.session[:user_id] = @admin.id
+
+        patch :change_role_order, params: { role: [new_role3.id, new_role2.id, new_role1.id] }
+
+        new_role1.reload
+        new_role2.reload
+        new_role3.reload
+        user_role.reload
+
+        expect(new_role3.priority).to eq(1)
+        expect(new_role2.priority).to eq(2)
+        expect(new_role1.priority).to eq(3)
+        expect(user_role.priority).to eq(4)
+      end
+    end
+
+    context 'POST #update_role' do
+      before do
+        Role.create_default_roles("provider1")
+      end
+
+      it "should fail to update a role with a lower priority than the user" do
+        new_role1 = Role.create(name: "test1", priority: 1, provider: "provider1")
+        new_role2 = Role.create(name: "test2", priority: 2, provider: "provider1", can_edit_roles: true)
+        user_role = Role.find_by(name: "user", provider: "greenlight")
+
+        user_role.priority = 3
+        user_role.save!
+
+        @user.roles << new_role2
+        @user.save!
+
+        @request.session[:user_id] = @user.id
+
+        patch :update_role, params: { role_id: new_role1.id }
+
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.invalid_update"))
+        expect(response).to redirect_to admin_roles_path(selected_role: new_role1.id)
+      end
+
+      it "should fail to update if there is a duplicate name" do
+        new_role = Role.create(name: "test2", priority: 1, provider: "provider1", can_edit_roles: true)
+
+        @request.session[:user_id] = @admin.id
+
+        patch :update_role, params: { role_id: new_role.id, role: { name: "admin" } }
+
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.duplicate_name"))
+        expect(response).to redirect_to admin_roles_path(selected_role: new_role.id)
+      end
+
+      it "should update role permisions" do
+        new_role = Role.create(name: "test2", priority: 1, provider: "provider1", can_edit_roles: true)
+
+        @request.session[:user_id] = @admin.id
+
+        patch :update_role, params: { role_id: new_role.id, role: { name: "test", can_edit_roles: false,
+          colour: "#45434", can_manage_users: true } }
+
+        new_role.reload
+        expect(new_role.name).to eq("test")
+        expect(new_role.can_edit_roles).to eq(false)
+        expect(new_role.colour).to eq("#45434")
+        expect(new_role.can_manage_users).to eq(true)
+        expect(new_role.send_promoted_email).to eq(false)
+        expect(response).to redirect_to admin_roles_path(selected_role: new_role.id)
+      end
+    end
+
+    context "DELETE delete_role" do
+      before do
+        Role.create_default_roles("provider1")
+      end
+
+      it "should fail to delete the role if it has users assigned to it" do
+        admin_role = Role.find_by(name: "admin", provider: "greenlight")
+
+        @request.session[:user_id] = @admin.id
+
+        delete :delete_role, params: { role_id: admin_role.id }
+
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.role_has_users", user_count: 1))
+        expect(response).to redirect_to admin_roles_path(selected_role: admin_role.id)
+      end
+
+      it "should fail to delete the role if it is a default role" do
+        pending_role = Role.find_by(name: "pending", provider: "provider1")
+
+        @request.session[:user_id] = @admin.id
+
+        delete :delete_role, params: { role_id: pending_role.id }
+
+        expect(response).to redirect_to admin_roles_path(selected_role: pending_role.id)
+      end
+
+      it "should successfully delete the role" do
+        new_role = Role.create(name: "test2", priority: 1, provider: "provider1", can_edit_roles: true)
+
+        @request.session[:user_id] = @admin.id
+
+        delete :delete_role, params: { role_id: new_role.id }
+
+        expect(Role.where(name: "test2", provider: "provider1").count).to eq(0)
+        expect(response).to redirect_to admin_roles_path
+      end
+    end
+  end
 end

spec/controllers/rooms_controller_spec.rb

@@ -61,6 +61,19 @@ describe RoomsController, type: :controller do
       expect(response).to render_template(:join)
     end
 
+    it "should render cant_create_rooms if user doesn't have permission to create rooms" do
+      user_role = @user.highest_priority_role
+
+      user_role.can_create_rooms = false
+      user_role.save!
+
+      @request.session[:user_id] = @user.id
+
+      get :show, params: { room_uid: @user.main_room }
+
+      expect(response).to render_template(:cant_create_rooms)
+    end
+
     it "should be able to search public recordings if user is not owner" do
       @request.session[:user_id] = @user.id
 
@@ -454,4 +467,32 @@ describe RoomsController, type: :controller do
       expect(flash[:alert]).to eq(I18n.t("room.access_code_required"))
     end
   end
+
+  describe "POST join_specific_room" do
+    before do
+      @user = create(:user)
+      @user1 = create(:user)
+    end
+
+    it "should display flash if the user doesn't supply a valid uid" do
+      @request.session[:user_id] = @user.id
+
+      post :join_specific_room, params: { join_room: { url: "abc" } }
+
+      expect(flash[:alert]).to eq(I18n.t("room.no_room.invalid_room_uid"))
+      expect(response).to redirect_to room_path(@user.main_room)
+    end
+
+    it "should redirect the user to the room uid they supplied" do
+      post :join_specific_room, params: { join_room: { url: @user1.main_room } }
+
+      expect(response).to redirect_to room_path(@user1.main_room)
+    end
+
+    it "should redirect the user to the room join url they supplied" do
+      post :join_specific_room, params: { join_room: { url: room_path(@user1.main_room) } }
+
+      expect(response).to redirect_to room_path(@user1.main_room)
+    end
+  end
 end

spec/controllers/users_controller_spec.rb

@@ -333,6 +333,95 @@ describe UsersController, type: :controller do
       patch :update, params: invalid_params.merge!(user_uid: @user)
       expect(response).to render_template(:edit)
     end
+
+    context 'Roles updates' do
+      it "should fail to update roles if users tries to add a role with a higher priority than their own" do
+        user = create(:user)
+        @request.session[:user_id] = user.id
+
+        user_role = user.highest_priority_role
+
+        user_role.can_edit_roles = true
+
+        user_role.save!
+
+        tmp_role = Role.create(name: "test", priority: -2, provider: "greenlight")
+
+        params = random_valid_user_params
+        patch :update, params: params.merge!(user_uid: user, user: { role_ids: tmp_role.id.to_s })
+
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.invalid_assignment"))
+        expect(response).to render_template(:edit)
+      end
+
+      it "should fail to update roles if a user tries to remove a role with a higher priority than their own" do
+        user = create(:user)
+        admin = create(:user)
+
+        admin.add_role :admin
+
+        @request.session[:user_id] = user.id
+
+        user_role = user.highest_priority_role
+
+        user_role.can_edit_roles = true
+
+        user_role.save!
+
+        params = random_valid_user_params
+        patch :update, params: params.merge!(user_uid: admin, user: { role_ids: "" })
+
+        user.reload
+
+        expect(flash[:alert]).to eq(I18n.t("administrator.roles.invalid_removal"))
+        expect(response).to render_template(:edit)
+      end
+
+      it "should successfuly add roles to the user" do
+        allow(Rails.configuration).to receive(:enable_email_verification).and_return(true)
+
+        user = create(:user)
+        admin = create(:user)
+
+        admin.add_role :admin
+
+        @request.session[:user_id] = admin.id
+
+        tmp_role1 = Role.create(name: "test1", priority: 1, provider: "greenlight", send_promoted_email: true)
+        tmp_role2 = Role.create(name: "test2", priority: 2, provider: "greenlight")
+
+        params = random_valid_user_params
+        params = params.merge!(user_uid: user, user: { role_ids: "#{tmp_role1.id} #{tmp_role2.id}" })
+
+        expect { patch :update, params: params }.to change { ActionMailer::Base.deliveries.count }.by(1)
+        expect(user.roles.count).to eq(2)
+        expect(user.highest_priority_role.name).to eq("test1")
+        expect(response).to redirect_to(admins_path)
+      end
+
+      it "all users must at least have the user role" do
+        allow(Rails.configuration).to receive(:enable_email_verification).and_return(true)
+
+        user = create(:user)
+        admin = create(:user)
+
+        admin.add_role :admin
+
+        tmp_role1 = Role.create(name: "test1", priority: 1, provider: "greenlight", send_demoted_email: true)
+        user.roles << tmp_role1
+        user.save!
+
+        @request.session[:user_id] = admin.id
+
+        params = random_valid_user_params
+        params = params.merge!(user_uid: user, user: { role_ids: "" })
+
+        expect { patch :update, params: params }.to change { ActionMailer::Base.deliveries.count }.by(1)
+        expect(user.roles.count).to eq(1)
+        expect(user.highest_priority_role.name).to eq("user")
+        expect(response).to redirect_to(admins_path)
+      end
+    end
   end
 
   describe "DELETE #user" do

spec/helpers/admins_helper_spec.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+
+require "rails_helper"
+
+describe AdminsHelper do
+  describe "edit_disabled" do
+    it "should disable inputs for roles with a higher priority" do
+        user = create(:user)
+        admin_role = Role.find_by(name: "admin", provider: "greenlight")
+        helper.instance_variable_set(:@selected_role, admin_role)
+
+        allow_any_instance_of(SessionsHelper).to receive(:current_user).and_return(user)
+
+        expect(helper.edit_disabled).to eq(true)
+    end
+
+    it "should enable inputs for roles with a lower priority" do
+        user = create(:user)
+        user.roles << Role.find_by(name: "admin", provider: "greenlight")
+        user_role = Role.find_by(name: "user", provider: "greenlight")
+        helper.instance_variable_set(:@selected_role, user_role)
+
+        allow_any_instance_of(SessionsHelper).to receive(:current_user).and_return(user)
+
+        expect(helper.edit_disabled).to eq(false)
+    end
+  end
+end

spec/helpers/application_helper_spec.rb

@@ -85,4 +85,14 @@ describe ApplicationHelper do
       expect(helper.allow_greenlight_accounts?).to eql(false)
     end
   end
+
+  describe "role_clour" do
+    it "should use default if the user doens't have a role" do
+      expect(helper.role_colour(Role.create(name: "test"))).to eq(Rails.configuration.primary_color_default)
+    end
+
+    it "should use role colour if provided" do
+      expect(helper.role_colour(Role.create(name: "test", colour: "#1234"))).to eq("#1234")
+    end
+  end
 end

spec/helpers/users_helper_spec.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+
+require "rails_helper"
+
+describe UsersHelper do
+    describe "disabled roles" do
+        it "should return roles with a less than or equal to priority for non admins" do
+            user = create(:user)
+            allow_any_instance_of(SessionsHelper).to receive(:current_user).and_return(user)
+
+            disabled_roles = helper.disabled_roles(user)
+
+            expect(disabled_roles.count).to eq(1)
+        end
+
+        it "should return roles with a lesser priority for admins" do
+            admin = create(:user)
+            admin.add_role :admin
+            user = create(:user)
+
+            allow_any_instance_of(SessionsHelper).to receive(:current_user).and_return(admin)
+
+            disabled_roles = helper.disabled_roles(user)
+
+            expect(disabled_roles.count).to eq(1)
+        end
+    end
+end

spec/models/role_spec.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+
+require "rails_helper"
+
+describe Role, type: :model do
+    it "should return duplicate if role name is in reserved role names" do
+        expect(Role.duplicate_name("admin", "greenlight")).to eq(true)
+    end
+
+    it "should return duplicate if role name matched another" do
+        Role.create(name: "test", provider: "greenlight")
+        expect(Role.duplicate_name("test", "greenlight")).to eq(true)
+    end
+
+    it "should return false role name doesn't exist" do
+        Role.create(name: "test", provider: "greenlight")
+        expect(Role.duplicate_name("test1", "greenlight")).to eq(false)
+    end
+end

spec/models/user_spec.rb

@@ -158,6 +158,72 @@ describe User, type: :model do
 
       expect(@admin.admin_of?(@user)).to be false
     end
+
+    it "should get the highest priority role" do
+      @admin = create(:user, provider: @user.provider)
+      @admin.add_role :admin
+
+      expect(@admin.highest_priority_role.name).to eq("admin")
+    end
+
+    it "should skip adding the role if the user already has the role" do
+      @admin = create(:user, provider: @user.provider)
+      @admin.add_role :admin
+      @admin.add_role :admin
+
+      expect(@admin.roles.count).to eq(2)
+    end
+
+    it "should add the role if the user doesn't already have the role" do
+      @admin = create(:user, provider: @user.provider)
+      @admin.add_role :admin
+
+      expect(@admin.roles.count).to eq(2)
+    end
+
+    it "should remove the role if the user has the role assigned to them" do
+      @admin = create(:user, provider: @user.provider)
+      @admin.add_role :admin
+      @admin.remove_role :admin
+
+      expect(@admin.roles.count).to eq(1)
+    end
+
+    it "has_role? should return false if the user doesn't have the role" do
+      expect(@user.has_role?(:admin)).to eq(false)
+    end
+
+    it "has_role? should return true if the user has the role" do
+      @admin = create(:user, provider: @user.provider)
+      @admin.add_role :admin
+
+      expect(@admin.has_role?(:admin)).to eq(true)
+    end
+
+    it "with_role should return all users with the role" do
+      @admin1 = create(:user, provider: @user.provider)
+      @admin2 = create(:user, provider: @user.provider)
+      @admin1.add_role :admin
+      @admin2.add_role :admin
+
+      expect(User.with_role(:admin).count).to eq(2)
+    end
+
+    it "without_role should return all users without the role" do
+      @admin1 = create(:user, provider: @user.provider)
+      @admin2 = create(:user, provider: @user.provider)
+      @admin1.add_role :admin
+      @admin2.add_role :admin
+
+      expect(User.without_role(:admin).count).to eq(1)
+    end
+
+    it "all_users_with_roles should return all users with at least one role" do
+      @admin1 = create(:user, provider: @user.provider)
+      @admin2 = create(:user, provider: @user.provider)
+
+      expect(User.all_users_with_roles.count).to eq(3)
+    end
   end
 
   context 'blank email' do