[Debt] Update how roles are set as part of communities changes

api/app/Policies/UserPolicy.php

@@ -3,6 +3,8 @@
 namespace App\Policies;
 
 use App\Models\PoolCandidate;
+use App\Models\Role;
+use App\Models\Team;
 use App\Models\User;
 use Illuminate\Auth\Access\HandlesAuthorization;
 
@@ -80,11 +82,72 @@ public function updateSub(User $user)
     /**
      * Determine whether the user can update roles.
      *
+     * @param  UpdateUserRolesInput  $args
      * @return \Illuminate\Auth\Access\Response|bool
      */
-    public function updateRoles(User $user)
+    public function updateRoles(User $user, $args)
     {
-        return $user->isAbleTo('assign-any-role');
+        $targetUserId = isset($args['id']) ? $args['id'] : null;
+        $attachRoles = isset($args['roleAssignmentsInput']) && isset($args['roleAssignmentsInput']['attach']) ?
+            $args['roleAssignmentsInput']['attach'] : null;
+        $detachRoles = isset($args['roleAssignmentsInput']) && isset($args['roleAssignmentsInput']['detach']) ?
+            $args['roleAssignmentsInput']['detach'] : null;
+
+        if (is_null($targetUserId)) {
+            return false;
+        }
+
+        // adding or removing team based roles
+        if (isset($attachRoles['team']) || isset($detachRoles['team'])) {
+
+            if ($attachRoles && isset($attachRoles['roles']) && isset($attachRoles['team'])) {
+                $rolesArray = $attachRoles['roles'];
+
+                // check every role being operated on and only return true if none failed
+                foreach ($rolesArray as $roleId) {
+                    if (! $this->teamAbleToCheck($user, $roleId, $attachRoles['team'])) {
+                        return false;
+                    }
+                }
+            }
+
+            if ($detachRoles && isset($detachRoles['roles']) && isset($detachRoles['team'])) {
+                $rolesArray = $detachRoles['roles'];
+
+                // check every role being operated on and only return true if none failed
+                foreach ($rolesArray as $roleId) {
+                    if (! $this->teamAbleToCheck($user, $roleId, $detachRoles['team'])) {
+                        return false;
+                    }
+                }
+            }
+
+            return true;
+        }
+
+        // adding or removing individual roles
+        if (empty($attachRoles['team']) && empty($detachRoles['team'])) {
+
+            $rolesArray = [];
+            if ($attachRoles && isset($attachRoles['roles'])) {
+                $rolesArray = [...$rolesArray, ...$attachRoles['roles']];
+            }
+            if ($detachRoles && isset($detachRoles['roles'])) {
+                $rolesArray = [...$rolesArray, ...$detachRoles['roles']];
+            }
+
+            // check every role being operated on and only return true if none failed
+            foreach ($rolesArray as $roleId) {
+                if (! $this->individualAbleToCheck($user, $roleId)) {
+                    return false;
+                }
+            }
+
+            return true;
+        }
+
+        // default to reject
+        return false;
     }
 
     /**
@@ -118,4 +181,57 @@ protected function applicantHasAppliedToPoolInTeams(User $applicant, $teamIds)
             })
             ->exists();
     }
+
+    /*******************  ROLE CHECKING  *******************/
+
+    /**
+     * Function to check if the acting user can update a team based role
+     *
+     * @return bool
+     */
+    protected function teamAbleToCheck(User $actor, string $roleId, string $teamId)
+    {
+        $role = Role::findOrFail($roleId);
+        $team = Team::findOrFail($teamId);
+
+        switch ($role->name) {
+            case 'pool_operator':
+                return $actor->isAbleTo('assign-any-teamRole');
+            case 'process_operator':
+                return $actor->isAbleTo('update-any-processOperatorMembership') || $actor->isAbleTo('update-team-processOperatorMembership', $team);
+            case 'community_recruiter':
+                return $actor->isAbleTo('update-any-communityRecruiterMembership ') || $actor->isAbleTo('update-team-communityRecruiterMembership ', $team);
+            case 'community_admin':
+                return $actor->isAbleTo('update-any-communityAdminMembership ') || $actor->isAbleTo('update-team-communityAdminMembership ', $team);
+        }
+
+        return false; // reject unknown roles
+    }
+
+    /**
+     * Function to check if the acting user can update an individual role
+     *
+     * @return bool
+     */
+    protected function individualAbleToCheck(User $actor, string $roleId)
+    {
+        $role = Role::findOrFail($roleId);
+
+        switch ($role->name) {
+            case 'guest':
+                return $actor->isAbleTo('assign-any-role');
+            case 'base_user':
+                return $actor->isAbleTo('assign-any-role');
+            case 'applicant':
+                return $actor->isAbleTo('assign-any-role');
+            case 'request_responder':
+                return $actor->isAbleTo('assign-any-role');
+            case 'community_manager':
+                return $actor->isAbleTo('assign-any-role');
+            case 'platform_admin':
+                return $actor->isAbleTo('update-any-platformAdminMembership ');
+        }
+
+        return false; // reject unknown roles
+    }
 }

api/graphql/schema.graphql

@@ -1679,7 +1679,6 @@ input RolesInput
 input RoleAssignmentHasMany {
   attach: RolesInput
   detach: RolesInput
-  sync: RolesInput
 }
 
 # This input only accepts Team-Based roles. It is assumed that a team id will be provided at a higher level of input.
@@ -1793,7 +1792,7 @@ type Mutation {
     updateUserRolesInput: UpdateUserRolesInput! @spread
   ): UserAuthInfo
     @update(model: "User")
-    @canModel(ability: "updateRoles", model: "User")
+    @canModel(ability: "updateRoles", model: "User", injectArgs: true)
   deleteUser(id: ID! @whereKey): User
     @delete
     @guard
@@ -2110,7 +2109,10 @@ type Mutation {
     @canFind(ability: "delete", find: "id")
   updateUserTeamRoles(
     teamRoleAssignments: UpdateUserTeamRolesInput! @spread
-  ): Team @guard @canFind(ability: "assignTeamMembers", find: "teamId")
+  ): Team
+    @guard
+    @canFind(ability: "assignTeamMembers", find: "teamId")
+    @deprecated(reason: "use updateUserRoles")
 
   # Notifications
   markNotificationAsRead(id: UUID!): Notification @guard # can only affect notifications belonging to the logged-in user

api/storage/app/lighthouse-schema.graphql

@@ -178,7 +178,7 @@ type Mutation {
   createTeam(team: CreateTeamInput!): Team
   updateTeam(id: UUID!, team: UpdateTeamInput!): Team
   deleteTeam(id: UUID!): Team
-  updateUserTeamRoles(teamRoleAssignments: UpdateUserTeamRolesInput!): Team
+  updateUserTeamRoles(teamRoleAssignments: UpdateUserTeamRolesInput!): Team @deprecated(reason: "use updateUserRoles")
   markNotificationAsRead(id: UUID!): Notification
   markNotificationAsUnread(id: UUID!): Notification
   deleteNotification(id: UUID!): Notification
@@ -1457,7 +1457,6 @@ input RolesInput {
 input RoleAssignmentHasMany {
   attach: RolesInput
   detach: RolesInput
-  sync: RolesInput
 }
 
 input RolesForTeamInput {

api/tests/Feature/UserRoleTest.php

@@ -41,6 +41,7 @@ protected function setUp(): void
             ->asApplicant()
             ->asRequestResponder()
             ->asAdmin()
+            ->asCommunityManager()
             ->create([
                 'email' => 'admin-user@test.com',
                 'sub' => 'admin-user@test.com',
@@ -205,8 +206,8 @@ public function testAdminCanSeeUsersTeams()
     // Create a user with an old role.  Assert that the admin can remove the old role and add the new role.
     public function testAdminCanAddAndRemoveNonTeamRoleToUser()
     {
-        $oldRole = Role::factory()->create(['is_team_based' => false]);
-        $newRole = Role::factory()->create(['is_team_based' => false]);
+        $oldRole = Role::where('name', 'guest')->sole();
+        $newRole = Role::where('name', 'base_user')->sole();
         $user = User::factory()->create()->syncRoles([$oldRole]);
 
         $this->actingAs($this->adminUser, 'api')->graphQL(
@@ -249,8 +250,8 @@ public function testAdminCanAddAndRemoveNonTeamRoleToUser()
     // Create a user with an old role.  Assert that the admin can remove the old role and add the new role, now with teams!
     public function testAdminCanAddAndRemoveTeamRoleToUser()
     {
-        $oldRole = Role::factory()->create(['is_team_based' => true]);
-        $newRole = Role::factory()->create(['is_team_based' => true]);
+        $oldRole = Role::where('name', 'pool_operator')->sole();
+        $newRole = Role::where('name', 'process_operator')->sole();
         $oldTeam = Team::factory()->create();
         $newTeam = Team::factory()->create();
         $user = User::factory()->create()->syncRoles([$oldRole], $oldTeam);

apps/web/src/pages/Teams/TeamMembersPage/components/AddTeamMemberDialog.tsx

@@ -66,12 +66,12 @@ AddTeamMemberDialogProps) => {
 
   const handleSave = async (formValues: TeamMemberFormValues) => {
     await executeMutation({
-      teamRoleAssignments: {
+      updateUserRolesInput: {
         userId: formValues.userId,
-        teamId: formValues.teamId,
-        roleAssignments: {
+        roleAssignmentsInput: {
           attach: {
             roles: formValues.roles,
+            team: formValues.teamId,
           },
         },
       },

apps/web/src/pages/Teams/TeamMembersPage/components/EditTeamMemberDialog.tsx

@@ -35,14 +35,15 @@ const EditTeamMemberDialog = ({ user, team }: EditTeamMemberDialogProps) => {
   const { roles, fetching } = useAvailableRoles();
   const [, executeMutation] = useMutation(UpdateUserTeamRoles_Mutation);
   const [isOpen, setIsOpen] = useState<boolean>(false);
+  const initialRolesIds = user.roles.map((role) => role.id);
 
   const methods = useForm<TeamMemberFormValues>({
     defaultValues: {
       userId: user.id,
       userDisplay: user.id,
       teamId: team.id,
       teamDisplay: team.id,
-      roles: user.roles.map((role) => role.id),
+      roles: initialRolesIds,
     },
   });
 
@@ -52,14 +53,29 @@ const EditTeamMemberDialog = ({ user, team }: EditTeamMemberDialogProps) => {
   } = methods;
 
   const handleSave = async (formValues: TeamMemberFormValues) => {
+    const rolesToAttach = formValues.roles.filter(
+      (role) => !initialRolesIds.includes(role),
+    );
+    const rolesToDetach = initialRolesIds.filter(
+      (role) => !formValues.roles.includes(role),
+    );
+
     await executeMutation({
-      teamRoleAssignments: {
+      updateUserRolesInput: {
         userId: formValues.userId,
-        teamId: formValues.teamId,
-        roleAssignments: {
-          attach: {
-            roles: formValues.roles,
-          },
+        roleAssignmentsInput: {
+          attach: rolesToAttach.length
+            ? {
+                roles: rolesToAttach,
+                team: team.id,
+              }
+            : undefined,
+          detach: rolesToDetach.length
+            ? {
+                roles: rolesToDetach,
+                team: team.id,
+              }
+            : undefined,
         },
       },
     })

apps/web/src/pages/Teams/TeamMembersPage/components/RemoveTeamMemberDialog.tsx

@@ -36,12 +36,12 @@ const RemoveTeamMemberDialog = ({
 
   const handleRemove = async () => {
     await executeMutation({
-      teamRoleAssignments: {
+      updateUserRolesInput: {
         userId: user.id,
-        teamId: team.id,
-        roleAssignments: {
+        roleAssignmentsInput: {
           detach: {
             roles: user.roles.map((role) => role.id),
+            team: team.id,
           },
         },
       },

apps/web/src/pages/Teams/TeamMembersPage/components/operations.ts

@@ -2,18 +2,27 @@ import { graphql } from "@gc-digital-talent/graphql";
 
 // eslint-disable-next-line import/prefer-default-export
 export const UpdateUserTeamRoles_Mutation = graphql(/* GraphQL */ `
-  mutation UpdateUserTeamRoles(
-    $teamRoleAssignments: UpdateUserTeamRolesInput!
-  ) {
-    updateUserTeamRoles(teamRoleAssignments: $teamRoleAssignments) {
+  mutation UpdateUserRoles($updateUserRolesInput: UpdateUserRolesInput!) {
+    updateUserRoles(updateUserRolesInput: $updateUserRolesInput) {
+      id
       roleAssignments {
+        id
         role {
+          id
           name
+          isTeamBased
+          displayName {
+            en
+            fr
+          }
         }
-        user {
+        team {
           id
-          firstName
-          lastName
+          name
+          displayName {
+            en
+            fr
+          }
         }
       }
     }

apps/web/src/pages/Users/UpdateUserPage/components/EditTeamRoleDialog.tsx

@@ -48,10 +48,11 @@ const EditTeamRoleDialog = ({
   const [isOpen, setIsOpen] = useState<boolean>(false);
   const userDisplayName = getFullNameHtml(user.firstName, user.lastName, intl);
   const teamDisplayName = getLocalizedName(team.displayName, intl);
+  const initialRolesIds = initialRoles.map((role) => role.id);
 
   const methods = useForm<FormValues>({
     defaultValues: {
-      roles: initialRoles.map((role) => role.id),
+      roles: initialRolesIds,
     },
   });
 
@@ -61,13 +62,28 @@ const EditTeamRoleDialog = ({
   } = methods;
 
   const handleEditRoles = async (formValues: FormValues) => {
+    const rolesToAttach = formValues.roles.filter(
+      (role) => !initialRolesIds.includes(role),
+    );
+    const rolesToDetach = initialRolesIds.filter(
+      (role) => !formValues.roles.includes(role),
+    );
+
     return onEditRoles({
       userId: user.id,
       roleAssignmentsInput: {
-        sync: {
-          roles: formValues.roles,
-          team: team.id,
-        },
+        attach: rolesToAttach.length
+          ? {
+              roles: rolesToAttach,
+              team: team.id,
+            }
+          : undefined,
+        detach: rolesToDetach.length
+          ? {
+              roles: rolesToDetach,
+              team: team.id,
+            }
+          : undefined,
       },
     })
       .then(() => {