Fixed not being able to remove all user roles

ssddanbrown · ssddanbrown · commit 0123d83fb27f · 2022-12-16T17:44:13.000Z
User roles would only be actioned if they existed in the form request, hence removal of all roles would have no data to action upon. This adds a placeholder 0-id role to ensure there is always role data to send, even when no roles are selected. This field value is latter filtered out. Added test to cover. Likely related to #3922.
diff --git a/app/Auth/UserRepo.php b/app/Auth/UserRepo.php
@@ -234,6 +234,8 @@ protected function isOnlyAdmin(User $user): bool
      */
     protected function setUserRoles(User $user, array $roles)
     {
+        $roles = array_filter(array_values($roles));
+
         if ($this->demotingLastAdmin($user, $roles)) {
             throw new UserUpdateException(trans('errors.role_cannot_remove_only_admin'), $user->getEditUrl());
         }
diff --git a/resources/views/form/role-checkboxes.blade.php b/resources/views/form/role-checkboxes.blade.php
@@ -1,5 +1,6 @@
 
 <div class="toggle-switch-list dual-column-content">
+    <input type="hidden" name="{{ $name }}[0]" value="0">
     @foreach($roles as $role)
         <div>
             @include('form.custom-checkbox', [
diff --git a/tests/User/UserManagementTest.php b/tests/User/UserManagementTest.php
@@ -274,4 +274,34 @@ public function test_user_create_update_fails_if_locale_is_invalid()
         $resp->assertSessionHasErrors(['language' => 'The language may not be greater than 15 characters.']);
         $resp->assertSessionHasErrors(['language' => 'The language may only contain letters, numbers, dashes and underscores.']);
     }
+
+    public function test_role_removal_on_user_edit_removes_all_role_assignments()
+    {
+        $user = $this->getEditor();
+
+        $this->assertEquals(1, $user->roles()->count());
+
+        // A roles[0] hidden fields is used to indicate the existence of role selection in the submission
+        // of the user edit form. We check that field is used and emulate its submission.
+        $resp = $this->asAdmin()->get("/settings/users/{$user->id}");
+        $this->withHtml($resp)->assertElementExists('input[type="hidden"][name="roles[0]"][value="0"]');
+
+        $resp = $this->asAdmin()->put("/settings/users/{$user->id}", [
+            'name'  => $user->name,
+            'email' => $user->email,
+            'roles' => ['0' => '0'],
+        ]);
+        $resp->assertRedirect("/settings/users");
+
+        $this->assertEquals(0, $user->roles()->count());
+    }
+
+    public function test_role_form_hidden_indicator_field_does_not_exist_where_roles_cannot_be_managed()
+    {
+        $user = $this->getEditor();
+        $resp = $this->actingAs($user)->get("/settings/users/{$user->id}");
+        $html = $this->withHtml($resp);
+        $html->assertElementExists('input[name="email"]');
+        $html->assertElementNotExists('input[type="hidden"][name="roles[0]"]');
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -234,6 +234,8 @@ protected function isOnlyAdmin(User $user): bool`
`234`	`234`	`*/`
`235`	`235`	`protected function setUserRoles(User $user, array $roles)`
`236`	`236`	`{`
	`237`	`+ $roles = array_filter(array_values($roles));`
	`238`	`+`
`237`	`239`	`if ($this->demotingLastAdmin($user, $roles)) {`
`238`	`240`	`throw new UserUpdateException(trans('errors.role_cannot_remove_only_admin'), $user->getEditUrl());`
`239`	`241`	`}`