Add support for editing labelling of one's own role (#18812)

Still disallow edition of rank or permissions

diff --git a/app/models/user_role.rb b/app/models/user_role.rb
index 833b96d719f7f9a34b17210b9d571311f0af8311..57a56c0b08555b188ba4504333053d8346c6c1d9 100644 (file)
--- a/app/models/user_role.rb
+++ b/app/models/user_role.rb
@@ -90,6 +90,7 @@ class UserRole < ApplicationRecord
   validate :validate_permissions_elevation
   validate :validate_position_elevation
   validate :validate_dangerous_permissions
+  validate :validate_own_role_edition
 
   before_validation :set_position
 
@@ -165,6 +166,12 @@ class UserRole < ApplicationRecord
     self.position = -1 if everyone?
   end
 
+  def validate_own_role_edition
+    return unless defined?(@current_account) && @current_account.user_role.id == id
+    errors.add(:permissions_as_keys, :own_role) if permissions_changed?
+    errors.add(:position, :own_role) if position_changed?
+  end
+
   def validate_permissions_elevation
     errors.add(:permissions_as_keys, :elevated) if defined?(@current_account) && @current_account.user_role.computed_permissions & permissions != permissions
   end

diff --git a/app/policies/user_role_policy.rb b/app/policies/user_role_policy.rb
index 7019637fcc3b7cacb0b7523771e398befc8392ff..6144a0ec4a95fa4b04809d259e0f0c24be0be20b 100644 (file)
--- a/app/policies/user_role_policy.rb
+++ b/app/policies/user_role_policy.rb
@@ -10,7 +10,7 @@ class UserRolePolicy < ApplicationPolicy
   end
 
   def update?
-    role.can?(:manage_roles) && role.overrides?(record)
+    role.can?(:manage_roles) && (role.overrides?(record) || role.id == record.id)
   end
 
   def destroy?

diff --git a/app/views/admin/roles/_form.html.haml b/app/views/admin/roles/_form.html.haml
index 99a211eeae8715dfa8a1a6676125b39f5cb00e5a..9beaf619fa5914d25c15566f05df55bb56acd4ad 100644 (file)
--- a/app/views/admin/roles/_form.html.haml
+++ b/app/views/admin/roles/_form.html.haml
@@ -8,8 +8,9 @@
     .fields-group
       = f.input :name, wrapper: :with_label
 
-    .fields-group
-      = f.input :position, wrapper: :with_label, input_html: { max: current_user.role.position - 1 }
+    - unless current_user.role.id == @role.id
+      .fields-group
+        = f.input :position, wrapper: :with_label, input_html: { max: current_user.role.position - 1 }
 
     .fields-group
       = f.input :color, wrapper: :with_label, input_html: { placeholder: '#000000' }
@@ -21,17 +22,19 @@
 
     %hr.spacer/
 
-  .field-group
-    .input.with_block_label
-      %label= t('simple_form.labels.user_role.permissions_as_keys')
-      %span.hint= t('simple_form.hints.user_role.permissions_as_keys')
+  - unless current_user.role.id == @role.id
+
+    .field-group
+      .input.with_block_label
+        %label= t('simple_form.labels.user_role.permissions_as_keys')
+        %span.hint= t('simple_form.hints.user_role.permissions_as_keys')
 
-    - (@role.everyone? ? UserRole::Flags::CATEGORIES.slice(:invites) : UserRole::Flags::CATEGORIES).each do |category, permissions|
-      %h4= t(category, scope: 'admin.roles.categories')
+      - (@role.everyone? ? UserRole::Flags::CATEGORIES.slice(:invites) : UserRole::Flags::CATEGORIES).each do |category, permissions|
+        %h4= t(category, scope: 'admin.roles.categories')
 
-      = f.input :permissions_as_keys, collection: permissions, wrapper: :with_block_label, include_blank: false, label_method: lambda { |privilege| safe_join([t("admin.roles.privileges.#{privilege}"), content_tag(:span, t("admin.roles.privileges.#{privilege}_description"), class: 'hint')]) }, required: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li', label: false, hint: false, disabled: permissions.filter { |privilege| UserRole::FLAGS[privilege] & current_user.role.computed_permissions == 0 }
+        = f.input :permissions_as_keys, collection: permissions, wrapper: :with_block_label, include_blank: false, label_method: lambda { |privilege| safe_join([t("admin.roles.privileges.#{privilege}"), content_tag(:span, t("admin.roles.privileges.#{privilege}_description"), class: 'hint')]) }, required: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li', label: false, hint: false, disabled: permissions.filter { |privilege| UserRole::FLAGS[privilege] & current_user.role.computed_permissions == 0 }
 
-  %hr.spacer/
+    %hr.spacer/
 
   .actions
     = f.button :button, @role.new_record? ? t('admin.roles.add_new') : t('generic.save_changes'), type: :submit

diff --git a/config/locales/activerecord.en.yml b/config/locales/activerecord.en.yml
index daeed58b8a696a4580c2217027df696a6df6e967..2dfa3b955ef271b72d8e8426b1b73725c9aebb9e 100644 (file)
--- a/config/locales/activerecord.en.yml
+++ b/config/locales/activerecord.en.yml
@@ -45,5 +45,7 @@ en:
             permissions_as_keys:
               dangerous: include permissions that are not safe for the base role
               elevated: cannot include permissions your current role does not possess
+              own_role: cannot be changed with your current role
             position:
               elevated: cannot be higher than your current role
+              own_role: cannot be changed with your current role