Reduce permissions of WRT member to seniors + leader

app/controllers/admin_controller.rb

@@ -323,29 +323,6 @@ def do_generate_public_export
     redirect_to admin_generate_exports_path
   end
 
-  def generate_db_token
-    @db_endpoints = {
-      main: EnvConfig.DATABASE_HOST,
-      replica: EnvConfig.READ_REPLICA_HOST,
-    }
-
-    role_credentials = Aws::ECSCredentials.new
-    token_generator = Aws::RDS::AuthTokenGenerator.new credentials: role_credentials
-
-    @db_tokens = @db_endpoints.transform_values do |url|
-      token_generator.auth_token({
-                                   region: EnvConfig.DATABASE_AWS_REGION,
-                                   endpoint: "#{url}:3306",
-                                   user_name: EnvConfig.DATABASE_WRT_USER,
-                                 })
-    end
-
-    @db_server_indices = {
-      main: 1,
-      replica: 2,
-    }
-  end
-
   def check_regional_records
     @check_records_request = CheckRegionalRecordsForm.new(
       competition_id: params[:competition_id] || nil,

app/controllers/panel_controller.rb

@@ -4,8 +4,9 @@ class PanelController < ApplicationController
   include DocumentsHelper
 
   before_action :authenticate_user!
-  before_action -> { redirect_to_root_unless_user(:can_access_panel?, params[:action].to_sym) }, except: [:pending_claims_for_subordinate_delegates]
+  before_action -> { redirect_to_root_unless_user(:can_access_panel?, params[:action].to_sym) }, except: [:pending_claims_for_subordinate_delegates, :generate_db_token]
   before_action -> { redirect_to_root_unless_user(:can_access_senior_delegate_panel?) }, only: [:pending_claims_for_subordinate_delegates]
+  before_action -> { redirect_to_root_unless_user(:can_access_panel?, :admin) }, only: [:generate_db_token]
 
   def pending_claims_for_subordinate_delegates
     # Show pending claims for a given user, or the current user, if they can see them
@@ -14,6 +15,29 @@ def pending_claims_for_subordinate_delegates
     @subordinate_delegates = @user.subordinate_delegates.to_a.push(@user)
   end
 
+  def generate_db_token
+    @db_endpoints = {
+      main: EnvConfig.DATABASE_HOST,
+      replica: EnvConfig.READ_REPLICA_HOST,
+    }
+
+    role_credentials = Aws::ECSCredentials.new
+    token_generator = Aws::RDS::AuthTokenGenerator.new credentials: role_credentials
+
+    @db_tokens = @db_endpoints.transform_values do |url|
+      token_generator.auth_token({
+                                   region: EnvConfig.DATABASE_AWS_REGION,
+                                   endpoint: "#{url}:3306",
+                                   user_name: EnvConfig.DATABASE_WRT_USER,
+                                 })
+    end
+
+    @db_server_indices = {
+      main: 1,
+      replica: 2,
+    }
+  end
+
   def self.panel_list
     {
       "delegate" => {
@@ -88,6 +112,7 @@ def self.panel_pages
       "regions" => "regions",
       "subordinateDelegateClaims" => "subordinate-delegate-claims",
       "subordinateUpcomingCompetitions" => "subordinate-upcoming-competitions",
+      "generateDbToken" => "generate-db-token",
     }
   end
 end

app/models/user.rb

@@ -493,6 +493,10 @@ def results_team?
     group_member?(UserGroup.teams_committees_group_wrt)
   end
 
+  def senior_results_team?
+    active_roles.any? { |role| role.group == UserGroup.teams_committees_group_wrt && role.metadata.at_least_senior_member? }
+  end
+
   private def software_team?
     group_member?(UserGroup.teams_committees_group_wst)
   end
@@ -1316,7 +1320,7 @@ def can_access_senior_delegate_panel?
   def can_access_panel?(panel_id)
     case panel_id
     when :admin
-      admin? || results_team?
+      admin? || senior_results_team?
     when :staff
       staff?
     when :delegate

app/webpacker/components/Panel/PanelPages.jsx

@@ -3,6 +3,7 @@ import {
   countryBandsUrl,
   subordinateDelegateClaimsUrl,
   subordinateUpcomingCompetitionsUrl,
+  generateDbTokenUrl,
 } from '../../lib/requests/routes.js.erb';
 import PostingCompetitionsTable from '../PostingCompetitions';
 import RegionManager from './Board/RegionManager';
@@ -78,4 +79,8 @@ export default {
     name: 'Subordinate Upcoming Competitions',
     link: subordinateUpcomingCompetitionsUrl,
   },
+  [PANEL_PAGES.generateDbToken]: {
+    name: 'Generate DB Token',
+    link: generateDbTokenUrl,
+  },
 };

app/webpacker/lib/requests/routes.js.erb

@@ -149,6 +149,7 @@ export const countryBandsUrl = `<%= CGI.unescape(Rails.application.routes.url_he
 export const subordinateDelegateClaimsUrl = `<%= CGI.unescape(Rails.application.routes.url_helpers.pending_claims_path) %>`;
 export const subordinateUpcomingCompetitionsUrl = `<%= CGI.unescape(Rails.application.routes.url_helpers.competitions_for_senior_path) %>`;
 export const wfcCompetitionsExportUrl = `<%= CGI.unescape(Rails.application.routes.url_helpers.wfc_competitions_export_path) %>`;
+export const generateDbTokenUrl = `<%= CGI.unescape(Rails.application.routes.url_helpers.panel_generate_db_token_path) %>`
 
 export const wfcXeroUsersUrl = `<%= CGI.unescape(Rails.application.routes.url_helpers.api_v0_wfc_xero_users_path) %>`;
 

config/routes.rb

@@ -188,6 +188,7 @@
   post 'competitions/:id/post_results' => 'competitions#post_results', as: :competition_post_results
 
   get 'panel/pending-claims(/:user_id)' => 'panel#pending_claims_for_subordinate_delegates', as: 'pending_claims'
+  get 'panel/generate_db_token' => 'panel#generate_db_token'
   scope 'panel' do
     get 'staff' => 'panel#staff', as: :panel_staff
     get 'delegate' => 'panel#delegate', as: :panel_delegate