♻️ Update the updateUserRoles mutation

[tristan-orourke]

♻️ Debt/Refactor

We're creating new permissions which allow for assigning of specific roles, instead of the previous permission which allow assigning any role, or any team role. The mutation used to assign roles must be updated to check the new permissions.

🕵️ Details

Now, in the implementation of the updateUserRoles mutation, we will have to carefully check if the user has the appropriate permission for EACH role which is being attached or detached from the user. This will be particularly complex in the case of sync, where you have to inspect the user's current roles and compare them to the sync array, to see which ones are being removed.

QUESTION: It may actually be easier to remove the sync operation entirely from the mutation, and update the client code to use attach and detach exclusively. (sync also makes it dangerously easy to remove roles by accident.)

I think we can also deprecate/remove updateUserTeamRoles mutation and code, since that was created mostly to make permission checking easier, and we'll use a totally new strategy now.

QUESTION: Depending on how we implemented #10302, we may also need to update how the team is passed into a role assignment. If Team is being abstracted away in the schema, then we can't get the teamId of a Pool or Community to pass in. Do we instead let it accept a Teamable id? or add a teamId field to Teamable interface?

🙋‍♀️ Proposed Solution

Note: Awkwardly, the update-team-processOperatorMembership permission has to give someone in a Community-team permission to assign someone to a Pool-team, if the Pool belongs to the Community.

✅ Acceptance Criteria

A set of assumptions which, when tested, verify that the debt was addressed and expected functionality has not been affected.

• Assigning roles through the /admin/teams/:id/members page continues to function (though api may change behind the scenes). It can be used by Platform Admins and Community Managers.
• Assigning roles through the /admin/users/:id/edit page continues to function (though api may change behind the scenes). Community Managers can assign or remove (legacy) team-based roles, and Platform Admins can assign or remove all (legacy) roles. (New Community Admin, Community Recruiter, and Process Operator roles can be ignored here for now.)
• Role assignment uses the new update-any/team-<role>Membership permissions
  • adding or removing Platform Admin role requires update-any-platformAdminMembership
  • adding or removing Community Admin role requires update-any-communityAdminMembership or update-team-communityAdminMembership in the correct community team
  • adding or removing Community Recruiter role requires update-any-communityRecruiterMembership or update-team-communityRecruiterMembership in the appropriate community team
  • adding or removing Process Operator membership requires update-any-processOperatorMembership or update-team-processOperatorMembership in the pool's team OR the pool's community's team
  • adding or removing Community Manager or Request Responder roles (legacy roles) require assign-any-role permission (will be removed in cleanup)
  • adding or removing Pool Operator legacy role requires assign-any-teamRole permission (will be removed in cleanup)
• Its possible to use a mutation to assign new Community and Pool based roles
• phpunit tests

🛑 Blockers

Issues which must be completed before this one.

Blocked By

Beta Give feedback

1. ✨ Add Community-Team and Pool-Team relations #10302
   2 of 2
   feature +1
   
2. ✨ Define new Roles: Community Admin, Community Recruiter, Process Operator #10349
   deployment feature +2
   

[github-actions]

Status: Ready to merge ✔️

Issues blocking this PR:

• ✨ Add Community-Team and Pool-Team relations #10302 ✔️
• ✨ Define new Roles: Community Admin, Community Recruiter, Process Operator #10349 ✔️

---

This comment was automatically written by the Blocking Issues bot, and this PR will be monitored for further progress.

[brindasasi]

Tests

• Assigning roles through the /admin/teams/:id/members page continues to function (though api may change behind the scenes). It can be used by Platform Admins and Community Managers

  • Verify Applicant users can't use the above page

• Assigning roles through the /admin/users/:id/edit page continues to function

• Community Managers can assign or remove (legacy) team-based roles,

• Platform Admins can assign or remove all (legacy) roles.

• New Community Admin, Community Recruiter, and Process Operator roles can be ignored here for now.

• adding or removing Platform Admin role requires update-any-platformAdminMembership

• adding or removing Community Admin role requires update-any-communityAdminMembership or update-team-communityAdminMembership in the correct community team

• adding or removing Community Recruiter role requires update-any-communityRecruiterMembership or update-team-communityRecruiterMembership in the appropriate community team

• adding or removing Process Operator membership requires update-any-processOperatorMembership or update-team-processOperatorMembership in the pool's team OR the pool's community's team

• adding or removing Community Manager or Request Responder roles (legacy roles) require assign-any-role permission (will be removed in cleanup)

• adding or removing Pool Operator legacy role requires assign-any-teamRole permission (will be removed in cleanup)

• Its possible to use a mutation to assign new Community and Pool based roles

[vd1992]

I think you might've meant to put that in the PR?