From d8c02bae8c0f8e1113b1b85b636b385797765a9c Mon Sep 17 00:00:00 2001
From: Kirk Wang <kirk.wang@scientist.com>
Date: Tue, 5 Dec 2023 11:37:22 -0800
Subject: [PATCH] wip

---
 app/assets/stylesheets/hyku.scss              | 15 ++++++++++++
 app/controllers/roles_controller.rb           | 14 +++++++++++
 app/models/ability.rb                         |  9 ++++++++
 app/presenters/hyrax/admin/users_presenter.rb | 12 ++++++++++
 app/views/hyrax/admin/users/index.html.erb    | 23 ++++++++++++++++---
 config/locales/en.yml                         |  3 +++
 config/locales/hyrax.en.yml                   |  3 ++-
 config/routes.rb                              |  5 +++-
 8 files changed, 79 insertions(+), 5 deletions(-)

diff --git a/app/assets/stylesheets/hyku.scss b/app/assets/stylesheets/hyku.scss
index 63ed99070..d1d7826ee 100644
--- a/app/assets/stylesheets/hyku.scss
+++ b/app/assets/stylesheets/hyku.scss
@@ -301,6 +301,21 @@ footer.navbar {
   }
 }
 
+#manage-users-table > tr > td> ul {
+  padding: 0 !important;
+  list-style-type: none;
+
+  li {
+    a > span {
+      color: red;
+    }
+
+    a:hover {
+      text-decoration: none;
+    }
+  }
+}
+
 .user-workflow-roles-table {
   td:nth-child(1),
   th:nth-child(1) {
diff --git a/app/controllers/roles_controller.rb b/app/controllers/roles_controller.rb
index f3c2a64cd..ca6dead9a 100644
--- a/app/controllers/roles_controller.rb
+++ b/app/controllers/roles_controller.rb
@@ -26,6 +26,20 @@ def update
     end
   end
 
+  def remove_role
+    user = User.find(params[:user_id])
+    role_name = params[:role_name]
+
+    if user && user.roles.exists?(name: role_name)
+      user.remove_role(role_name)
+      flash[:notice] = "Role '#{role_name}' was successfully removed from user #{user.email}."
+    else
+      flash[:alert] = "Failed to remove role '#{role_name}' from user #{user.email}."
+    end
+
+    redirect_back(fallback_location: root_path)
+  end
+
   protected
 
     def user_params
diff --git a/app/models/ability.rb b/app/models/ability.rb
index c433ad198..7d05f56a4 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -25,6 +25,15 @@ class Ability
     self.ability_logic += %i[everyone_can_create_curation_concerns]
   end
 
+  def initialize(user)
+    super(user) # Calls Hydra::Ability's initialize method
+
+    if user.has_role? "user_manager", Site.instance
+      can :manage, User
+      can :manage, Role
+    end
+  end
+
   # OVERRIDE METHOD from blacklight-access_controls v0.6.2
   #
   # NOTE: DO NOT RENAME THIS METHOD - it is required for permissions to function properly.
diff --git a/app/presenters/hyrax/admin/users_presenter.rb b/app/presenters/hyrax/admin/users_presenter.rb
index 17d2fc0ba..852ae3233 100644
--- a/app/presenters/hyrax/admin/users_presenter.rb
+++ b/app/presenters/hyrax/admin/users_presenter.rb
@@ -18,6 +18,18 @@ def user_roles(user)
         user.ability.all_user_and_group_roles
       end
 
+      # @return [Array] an array of user group role names
+      def user_group_roles(user)
+        user.group_roles.map(&:name)
+      end
+
+      # @return [Array] an array of user added role names
+      def user_site_roles(user)
+        # if the user has a group role that is the same as the site role, we don't want to show the site role
+        # because if it shows up as a site role and we can delete it, it will cause funky behavior
+        user.site_roles.map(&:name) - user_group_roles(user)
+      end
+
       def user_groups(user)
         user.hyrax_groups
       end
diff --git a/app/views/hyrax/admin/users/index.html.erb b/app/views/hyrax/admin/users/index.html.erb
index dc12474c7..3b98875bf 100644
--- a/app/views/hyrax/admin/users/index.html.erb
+++ b/app/views/hyrax/admin/users/index.html.erb
@@ -46,7 +46,8 @@
             <th></th>
             <th><%= t('.id_label') %></th>
             <th><%= t('.group_label') %></th>
-            <th><%= t('.role_label') %></th>
+            <th><%= t('.group_role_label') %></th>
+            <th><%= t('.site_role_label') %></th>
             <th><%= t('.access_label') %></th>
             <th><%= t('.status_label') %></th>
             <% if can? :destroy, User %>
@@ -54,7 +55,7 @@
             <% end %>
           </tr>
         </thead>
-        <tbody>
+        <tbody id="manage-users-table">
           <% @presenter.users.each do |user| %>
             <tr id="<%= user.email.parameterize %>">
               <td><%= link_to hyrax.user_path(user) do %>
@@ -71,12 +72,28 @@
                   </ul>
               </td>
 
-              <td class="roles"><% roles = @presenter.user_roles(user) %>
+              <td class="roles"><% roles = @presenter.user_group_roles(user) %>
                   <ul><% roles.each do |role| %>
                     <li><%= role.titleize %></li>
                     <% end %>
                   </ul>
               </td>
+
+              <td class="roles"><% roles = @presenter.user_site_roles(user) %>
+                <ul>
+                  <% roles.each do |role| %>
+                    <li>
+                      <%= role.titleize %>
+                      <%= link_to main_app.remove_role_site_roles_path(user_id: user.id, role_name: role), method: :delete, data: { confirm: t('hyrax.admin.users.roles.remove.confirmation', user: user.email, role: role.titleize) } do %>
+                        <% if can?(:edit, User) && role != 'admin' %>
+                          <span class="glyphicon glyphicon-remove"></span>
+                        <% end %>
+                      <% end %>
+                    </li>
+                  <% end %>
+                </ul>
+              </td>
+
               <td>
                 <%# in the case that a user is created who never signs in, this is necessary %>
                 <relative-time datetime="<%= @presenter.last_accessed(user).getutc.iso8601 %>" title="<%= @presenter.last_accessed(user).to_formatted_s(:standard) %>">
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 7962b44fa..e684f7fa5 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -270,6 +270,9 @@ en:
             active: Active
             pending: Pending
           status_label: Status
+        roles:
+          remove:
+            confirmation: Are you sure you want to remove the role "%{role}" from the user "%{user}"?
   permissions:
     collections:
       cannot:
diff --git a/config/locales/hyrax.en.yml b/config/locales/hyrax.en.yml
index 0b9bd8870..d6a75fe71 100644
--- a/config/locales/hyrax.en.yml
+++ b/config/locales/hyrax.en.yml
@@ -256,8 +256,9 @@ en:
             one: There is <b>%{count} user</b> in this repository.
             other: There are <b>%{count} users</b> in this repository.
           id_label: Username
-          role_label: Roles
           group_label: Groups
+          group_role_label: Group roles
+          site_role_label: Site roles
           title: Manage Users
           reader_title: View Users
       workflow_roles:
diff --git a/config/routes.rb b/config/routes.rb
index 9132e685b..1aaeb0d8a 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -54,8 +54,11 @@
   get 'status', to: 'status#index'
 
   mount BrowseEverything::Engine => '/browse'
+
   resource :site, only: [:update] do
-    resources :roles, only: %i[index update]
+    resources :roles, only: %i[index update] do
+      delete 'remove_role/:user_id/:role_name', on: :collection, to: 'roles#remove_role', as: :remove_role
+    end
     resource :labels, only: %i[edit update]
   end