Merge pull request #2622 from alphagov/refactor-api-users-controller

Refactor ApiUsersController

app/controllers/api_users_controller.rb

@@ -5,7 +5,7 @@ class ApiUsersController < ApplicationController
 
   before_action :authenticate_user!
   before_action :load_and_authorize_api_user, only: %i[edit manage_permissions manage_tokens update]
-  helper_method :applications_and_permissions, :visible_applications
+  helper_method :api_user_applications_and_permissions, :visible_applications
 
   respond_to :html
 
@@ -70,4 +70,13 @@ def sanitise(permitted_user_params)
       current_user_role: current_user.role.to_sym,
     ).sanitise
   end
+
+  def api_user_applications_and_permissions(user)
+    zip_permissions(visible_applications(user), user)
+  end
+
+  def visible_applications(user)
+    api_user_authorised_apps = user.authorisations.not_revoked.pluck(:application_id)
+    Doorkeeper::Application.includes(:supported_permissions).where(id: api_user_authorised_apps)
+  end
 end

app/views/api_users/manage_permissions.html.erb

@@ -20,10 +20,61 @@
 <h1>Manage permissions for API User <%= @api_user.name %></h1>
 
 <%= form_for @api_user, :html => {:class => 'well add-top-margin'} do |f| %>
-  <% if applications_and_permissions(@api_user).any? %>
+  <% if api_user_applications_and_permissions(@api_user).any? %>
     <hr />
     <h2 class="add-vertical-margins">Permissions</h2>
-    <%= render partial: "shared/user_permissions", locals: { user_object: f.object }%>
+    <table id="editable-permissions" class="table table-bordered table-striped table-on-white">
+      <thead>
+        <tr class="table-header">
+          <th>Application</th>
+          <th>Permissions</th>
+          <th>Last synced at</th>
+        </tr>
+      </thead>
+      <tbody>
+        <% api_user_applications_and_permissions(@api_user).each do |(application, permissions)|
+          supported_permission_field_name = "api_user[supported_permission_ids][]"
+          supported_permission_field_prefix = "api_user_application_#{application.id}_supported_permission" %>
+          <tr>
+            <td>
+              <%= application.name %>
+            </td>
+            <%
+              # Emulate form.check_box helper:
+              # http://api.rubyonrails.org/v3.1.3/classes/ActionView/Helpers/FormHelper.html#method-i-check_box
+              # API Users will always have a "signin" permission for apps for which they have access token.
+              # The hidden field ensures it is not lost.
+            %>
+            <%= hidden_field_tag supported_permission_field_name, application.signin_permission.id, id: "#{supported_permission_field_prefix}_#{SupportedPermission::SIGNIN_NAME}" %>
+            <td>
+              <%= label_tag "#{supported_permission_field_prefix}_ids", "Permissions for #{application.name}", class: "rm" %>
+              <% supported_permissions_options = application.supported_permissions.grantable_from_ui
+                                                  .inject({}) {|h, per| h.merge(per.name => per.id) }
+                supported_permissions_options.delete(SupportedPermission::SIGNIN_NAME) %>
+              <%= select_tag supported_permission_field_name,
+                              options_for_select(supported_permissions_options,
+                                @api_user.permission_ids_for(application) - [application.signin_permission.id]),
+                              multiple: true,
+                              class: "chosen-select",
+                              id: "#{supported_permission_field_prefix}_ids",
+                              'data-module' => 'chosen',
+                              'data-placeholder' => 'Start typing to search for permissions'
+              %>
+            </td>
+            <td>
+              <% synced_permissions = permissions.select { |p| p.last_synced_at.present? } %>
+              <% if synced_permissions.any? %>
+                <span class="label <%= sync_needed?(synced_permissions) ? "label-danger" : "label-success" %>">
+                  <%= time_ago_in_words(synced_permissions.map(&:last_synced_at).max) %> ago
+                </span>
+              <% else %>
+                <span class="label label-danger">Never</span>
+              <% end %>
+            </td>
+          </tr>
+        <% end %>
+      </tbody>
+    </table>
   <% end %>
 
   <%= f.submit 'Update API user', :class => 'btn btn-primary' %>

lib/user_permissions_controller_methods.rb

@@ -1,35 +1,13 @@
 module UserPermissionsControllerMethods
 private
 
-  def visible_applications(user)
-    if user.api_user?
-      applications = Doorkeeper::Application.includes(:supported_permissions)
-      if current_user.superadmin?
-        api_user_authorised_apps = user.authorisations.not_revoked.pluck(:application_id)
-        applications.where(id: api_user_authorised_apps)
-      else
-        applications.none
-      end
-    else
-      policy_scope(:user_permission_manageable_application)
-    end
-  end
-
   def applications_and_permissions(user)
-    zip_permissions(visible_applications(user).includes(:supported_permissions), user)
+    zip_permissions(policy_scope(:user_permission_manageable_application).includes(:supported_permissions), user)
   end
 
   def zip_permissions(applications, user)
     applications.map do |application|
       [application, user.application_permissions.where(application_id: application.id)]
     end
   end
-
-  def all_applications_and_permissions_for(user)
-    user
-      .supported_permissions
-      .merge(Doorkeeper::Application.not_api_only)
-      .includes(:application)
-      .group_by(&:application)
-  end
 end