Allow user permissions to be granted/revoked in admin

3 files changed, 67 insertions, 3 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm
index ce2a653a2..c8432df0c 100644
--- a/perllib/FixMyStreet/App/Controller/Admin.pm
+++ b/perllib/FixMyStreet/App/Controller/Admin.pm
@@ -1129,6 +1129,10 @@ sub user_edit : Path('user_edit') : Args(1) {
 
     $c->stash->{user} = $user;
 
+    if ( $user->from_body && $c->user->has_permission_to('user_manage_permissions', $user->from_body->id) ) {
+        $c->stash->{available_permissions} = $c->cobrand->available_permissions;
+    }
+
     $c->forward('fetch_all_bodies');
 
     if ( $c->get_param('submit') ) {
@@ -1139,7 +1143,7 @@ sub user_edit : Path('user_edit') : Args(1) {
         if ( $user->email ne $c->get_param('email') ||
             $user->name ne $c->get_param('name') ||
             ($user->phone || "") ne $c->get_param('phone') ||
-            ($user->from_body && $user->from_body->id ne $c->get_param('body')) ||
+            ($user->from_body && $c->get_param('body') && $user->from_body->id ne $c->get_param('body')) ||
             (!$user->from_body && $c->get_param('body'))
         ) {
                 $edited = 1;
@@ -1153,14 +1157,33 @@ sub user_edit : Path('user_edit') : Args(1) {
         $user->is_superuser( ( $c->user->is_superuser && $c->get_param('is_superuser') ) || 0 );
         # Superusers can set from_body to any value, but other staff can only
         # set from_body to the same value as their own from_body.
-        if ($c->user->is_superuser) {
+        if ( $c->user->is_superuser ) {
             $user->from_body( $c->get_param('body') || undef );
-        } elsif ($c->get_param('body') eq $c->user->from_body->id) {
+        } elsif ( $c->user->has_permission_to('user_assign_body', $c->user->from_body->id ) &&
+                  $c->get_param('body') && $c->get_param('body') eq $c->user->from_body->id ) {
             $user->from_body( $c->user->from_body );
         } else {
             $user->from_body( undef );
         }
 
+        if (!$user->from_body) {
+            # Non-staff users aren't allowed any permissions
+            $user->user_body_permissions->delete_all;
+        } elsif ($c->stash->{available_permissions}) {
+            my @all_permissions = map { keys %$_ } values %{ $c->stash->{available_permissions} };
+            my @user_permissions = grep { $c->get_param("permissions[$_]") ? 1 : undef } @all_permissions;
+            $user->user_body_permissions->search({
+                body_id => $user->from_body->id,
+                permission_type => { '!=' => \@user_permissions },
+            })->delete;
+            foreach my $permission_type (@user_permissions) {
+                $user->user_body_permissions->find_or_create({
+                    body_id => $user->from_body->id,
+                    permission_type => $permission_type,
+                });
+            }
+        }
+
         unless ($user->email) {
             $c->stash->{field_errors}->{email} = _('Please enter a valid email');
             return;
diff --git a/perllib/FixMyStreet/Cobrand/Default.pm b/perllib/FixMyStreet/Cobrand/Default.pm
index 8c75a1234..326919654 100644
--- a/perllib/FixMyStreet/Cobrand/Default.pm
+++ b/perllib/FixMyStreet/Cobrand/Default.pm
@@ -658,6 +658,37 @@ sub admin_allow_user {
     return 1 if $user->is_superuser;
 }
 
+=head2 available_permissions
+
+Grouped lists of permission types available for use in the admin
+
+=cut
+
+sub available_permissions {
+    my $self = shift;
+
+    return {
+        _("Problems") => {
+            moderate => _("Moderate report details"),
+            report_edit => _("Edit reports"),
+            report_edit_category => _("Edit report category"), # future use
+            report_edit_priority => _("Edit report priority"), # future use
+            report_inspect => _("Markup problem details"),
+            report_instruct => _("Instruct contractors to fix problems"), # future use
+            planned_reports => _("Manage planned reports list"),
+            contribute_as_another_user => _("Create reports/updates on a user's behalf"),
+            contribute_as_body => _("Create reports/updates as the council"),
+        },
+        _("Users") => {
+            user_edit => _("Edit other users' details"),
+            user_manage_permissions => _("Edit other users' permissions"),
+            user_assign_body => _("Grant access to the admin"),
+            user_assign_areas => _("Assign users to areas"), # future use
+        },
+    };
+}
+
+
 =head2 area_types
 
 The MaPit types this site handles
diff --git a/perllib/FixMyStreet/Cobrand/UKCouncils.pm b/perllib/FixMyStreet/Cobrand/UKCouncils.pm
index 701a4ca1c..5d72c4962 100644
--- a/perllib/FixMyStreet/Cobrand/UKCouncils.pm
+++ b/perllib/FixMyStreet/Cobrand/UKCouncils.pm
@@ -184,4 +184,14 @@ sub admin_allow_user {
     return $user->from_body->id == $self->council_id;
 }
 
+sub available_permissions {
+    my $self = shift;
+
+    my $perms = $self->next::method();
+    $perms->{Problems}->{contribute_as_body} = "Create reports/updates as " . $self->council_name;
+    $perms->{Users}->{user_assign_areas} = "Assign users to areas in " . $self->council_name;
+
+    return $perms;
+}
+
 1;