Redesign site-wide user management page (#2830)

This PR builds on top of the work started in
#2778, completely rethinking the
design of the previous `manageUsers.php` page. Since the global
invitation workflow is substantially different from the project
invitation workflow, I created completely separate tables and models.
Accordingly, I made the project invitations names more specific to
better differentiate between the two invitation types.

A few key changes:
- Instead of giving administrators the ability to add users directly,
users must now be invited via email.
- User invitation is only allowed if username+password is allowed
(according to the `USERNAME_PASSWORD_AUTHENTICATION_ENABLED`
configuration option).
- The list of users is now available to users of all access levels, with
email addresses limited to administrators thanks to
#2818.
- Administrators can no longer change their own role.
- Everything is now controlled via the GraphQL API, meaning that users
can now execute these actions programmatically if desired. This may be
useful for CDash administrators who wish to use a custom user management
workflow not otherwise support by our LDAP, OAuth, or SAML integrations.

The new look:

![image](https://github.com/user-attachments/assets/6043da57-1d9c-4e95-ae6a-a415f3ed395d)

Author: williamjallen

.eslintignore

@@ -47,7 +47,6 @@ resources/js/angular/cdashUploadFilesSorter.js
 resources/js/angular/cdashSortable.js
 resources/js/angular/cdashSiteSorter.js
 resources/js/angular/cdashProjectRole.js
-resources/js/angular/cdashManageUsers.js
 resources/js/angular/cdashFilters.js
 resources/js/angular/cdashCoverageGraph.js
 resources/js/angular/bulletchart.js

app/Enums/GlobalRole.php

@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Enums;
+
+enum GlobalRole: string
+{
+    case USER = 'USER';
+    case ADMINISTRATOR = 'ADMINISTRATOR';
+}

app/GraphQL/Mutations/ChangeGlobalRole.php

@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\GraphQL\Mutations;
+
+use App\Enums\GlobalRole;
+use App\Models\User;
+use Exception;
+use Illuminate\Support\Facades\Validator;
+use Illuminate\Validation\Rule;
+use Illuminate\Validation\ValidationException;
+
+final class ChangeGlobalRole extends AbstractMutation
+{
+    public ?User $user = null;
+
+    /**
+     * @param array{
+     *     userId: int,
+     *     role: GlobalRole,
+     * } $args
+     *
+     * @throws ValidationException
+     */
+    protected function mutate(array $args): void
+    {
+        Validator::make($args, [
+            'userId' => [
+                'required',
+            ],
+            'role' => [
+                'required',
+                Rule::enum(GlobalRole::class),
+            ],
+        ])->validate();
+
+        /** @var ?User $user */
+        $user = auth()->user();
+        if ($user === null) {
+            // This should never happen, but we handle the case anyway to make PHPStan happy.
+            throw new Exception('Attempt to invite user when not signed in.');
+        }
+
+        $userToChange = User::find((int) $args['userId']);
+        if ($userToChange === null) {
+            $this->message = 'Cannot change role for user which does not exist.';
+            return;
+        }
+
+        if ($user->cannot('changeRole', $userToChange)) {
+            $this->message = 'Insufficient permissions.';
+            return;
+        }
+
+        $userToChange->admin = $args['role'] === GlobalRole::ADMINISTRATOR;
+        $userToChange->save();
+
+        $this->user = $userToChange;
+    }
+}

app/GraphQL/Mutations/CreateGlobalInvitation.php

@@ -0,0 +1,80 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\GraphQL\Mutations;
+
+use App\Enums\GlobalRole;
+use App\Mail\InvitedToCdash;
+use App\Models\GlobalInvitation;
+use App\Models\User;
+use Exception;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\Support\Facades\Validator;
+use Illuminate\Support\Str;
+use Illuminate\Validation\Rule;
+
+final class CreateGlobalInvitation extends AbstractMutation
+{
+    public ?GlobalInvitation $invitedUser = null;
+
+    /**
+     * @param array{
+     *     email: string,
+     *     role: GlobalRole,
+     * } $args
+     *
+     * @throws Exception
+     */
+    protected function mutate(array $args): void
+    {
+        // This field might not reset when testing since the same mocked request is reused.
+        $this->invitedUser = null;
+
+        Validator::make($args, [
+            'email' => [
+                'required',
+                'email:strict',
+            ],
+            'role' => [
+                'required',
+                Rule::enum(GlobalRole::class),
+            ],
+        ])->validate();
+
+        /** @var ?User $user */
+        $user = auth()->user();
+        if ($user === null) {
+            // This should never happen, but we handle the case anyway to make PHPStan happy.
+            throw new Exception('Attempt to invite user when not signed in.');
+        }
+
+        if ($user->cannot('createInvitation', GlobalInvitation::class)) {
+            abort(401, 'This action is unauthorized.');
+        }
+
+        if (GlobalInvitation::where('email', $args['email'])->exists()) {
+            abort(400, 'Duplicate invitations are not allowed.');
+        }
+
+        if (User::where('email', $args['email'])->exists()) {
+            abort(401, 'User is already a member of this instance.');
+        }
+
+        $password = Str::password();
+
+        $this->invitedUser = GlobalInvitation::create([
+            'email' => $args['email'],
+            'invited_by_id' => $user->id,
+            'role' => $args['role'],  // Note: we assume that anyone who can invite users can assign them any role.
+            'invitation_timestamp' => Carbon::now(),
+            'password' => Hash::make($password),
+        ]);
+
+        // The email gets sent to the queue, so we have no way to know immediately whether it was sent or not.
+        // TODO: We should eventually track whether the email was actually sent.
+        Mail::to($args['email'])->send(new InvitedToCdash($this->invitedUser, $password));
+    }
+}

app/GraphQL/Mutations/InviteToProject.php

@@ -7,8 +7,8 @@
 use App\Enums\ProjectRole;
 use App\Mail\InvitedToProject;
 use App\Models\Project;
+use App\Models\ProjectInvitation;
 use App\Models\User;
-use App\Models\UserInvitation;
 use Exception;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Mail;
@@ -17,7 +17,7 @@
 
 final class InviteToProject extends AbstractMutation
 {
-    public ?UserInvitation $invitedUser = null;
+    public ?ProjectInvitation $invitedUser = null;
 
     /**
      * @param array{
@@ -55,12 +55,12 @@ protected function mutate(array $args): void
         }
 
         $project = isset($args['projectId']) ? Project::find((int) $args['projectId']) : null;
-        if ($project === null || $user->cannot('inviteUsers', $project)) {
+        if ($project === null || $user->cannot('inviteUser', $project)) {
             $this->message = 'This action is unauthorized.';
             return;
         }
 
-        if (UserInvitation::where(['email' => $args['email'], 'project_id' => $args['projectId']])->exists()) {
+        if (ProjectInvitation::where(['email' => $args['email'], 'project_id' => $args['projectId']])->exists()) {
             $this->message = 'Duplicate invitations are not allowed.';
             return;
         }
@@ -70,7 +70,7 @@ protected function mutate(array $args): void
             return;
         }
 
-        $this->invitedUser = UserInvitation::create([
+        $this->invitedUser = ProjectInvitation::create([
             'email' => $args['email'],
             'invited_by_id' => $user->id,
             'project_id' => $args['projectId'],

app/GraphQL/Mutations/RemoveUser.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\GraphQL\Mutations;
+
+use App\Models\User;
+use Illuminate\Support\Facades\Gate;
+
+final class RemoveUser extends AbstractMutation
+{
+    /**
+     * @param array{
+     *     userId: int,
+     * } $args
+     */
+    protected function mutate(array $args): void
+    {
+        $user = User::find((int) $args['userId']);
+
+        if ($user === null) {
+            abort(404, 'User does not exist.');
+        }
+
+        Gate::authorize('delete', $user);
+
+        $user->delete();
+    }
+}

app/GraphQL/Mutations/RevokeGlobalInvitation.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\GraphQL\Mutations;
+
+use App\Models\GlobalInvitation;
+use Illuminate\Support\Facades\Gate;
+
+final class RevokeGlobalInvitation extends AbstractMutation
+{
+    /**
+     * @param array{
+     *     invitationId: int,
+     * } $args
+     */
+    protected function mutate(array $args): void
+    {
+        $invitation = GlobalInvitation::find((int) $args['invitationId']);
+
+        if ($invitation === null) {
+            abort(400, 'Invitation does not exist.');
+        }
+
+        Gate::authorize('revokeInvitation', $invitation);
+
+        $invitation->delete();
+    }
+}

…p/GraphQL/Mutations/RevokeInvitation.php …QL/Mutations/RevokeProjectInvitation.phpapp/GraphQL/Mutations/RevokeInvitation.php renamed to app/GraphQL/Mutations/RevokeProjectInvitation.php app/GraphQL/Mutations/RevokeInvitation.php renamed to app/GraphQL/Mutations/RevokeProjectInvitation.php

@@ -4,10 +4,10 @@
 
 namespace App\GraphQL\Mutations;
 
-use App\Models\UserInvitation;
+use App\Models\ProjectInvitation;
 use Illuminate\Support\Facades\Gate;
 
-final class RevokeInvitation extends AbstractMutation
+final class RevokeProjectInvitation extends AbstractMutation
 {
     /**
      * @param array{
@@ -16,14 +16,14 @@ final class RevokeInvitation extends AbstractMutation
      */
     protected function mutate(array $args): void
     {
-        $invitation = UserInvitation::find((int) $args['invitationId']);
+        $invitation = ProjectInvitation::find((int) $args['invitationId']);
 
         if ($invitation === null) {
             $this->message = 'Invitation does not exist.';
             return;
         }
 
-        Gate::authorize('revokeInvitations', $invitation->project);
+        Gate::authorize('revokeInvitation', $invitation->project);
 
         $invitation->delete();
     }

app/Http/Controllers/Auth/LoginController.php

@@ -56,7 +56,7 @@ public function __construct()
      */
     public function login(Request $request)
     {
-        if (config('auth.username_password_authentication_enabled') === false) {
+        if (config('cdash.username_password_authentication_enabled') === false) {
             return $this->sendFailedLoginResponse($request);
         }
         return $this->traitLogin($request);

app/Http/Controllers/GlobalInvitationController.php

@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Enums\GlobalRole;
+use App\Models\GlobalInvitation;
+use App\Models\User;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Auth;
+
+final class GlobalInvitationController extends AbstractController
+{
+    // We assume that this signed route has been verified already...
+    public function __invoke(Request $request, int $invitationId): RedirectResponse
+    {
+        if (config('cdash.username_password_authentication_enabled') === false) {
+            abort(401, 'Username and password registration is disabled.');
+        }
+
+        $user_invite = GlobalInvitation::find($invitationId);
+        if ($user_invite === null) {
+            abort(404, 'Invitation does not exist.');
+        }
+
+        if (User::where('email', $user_invite->email)->exists()) {
+            $user_invite->deleteOrFail();
+            abort(401, 'You are already registered.');
+        }
+
+        Auth::login(User::forceCreate([
+            'admin' => $user_invite->role === GlobalRole::ADMINISTRATOR,
+            'email' => $user_invite->email,
+            'password' => $user_invite->password,
+            'password_updated_at' => Carbon::now(),
+        ]));
+
+        $user_invite->deleteOrFail();
+
+        return response()->redirectTo('/profile?password_expired=1');
+    }
+}