Add ability for admin to edit user profile fields (with note auditing) (forem#22738)

* Add ability for admin to edit user profile fields (with note auditing)

* Fix profile in spec

Author: benhalpern

app/controllers/admin/users_controller.rb

@@ -15,6 +15,9 @@ class UsersController < Admin::ApplicationController
       email
     ].freeze
 
+    ADMIN_PROFILE_USER_PARAMS = %i[name username].freeze
+    ADMIN_PROFILE_PROFILE_PARAMS = %i[summary location website_url].freeze
+
     EMAIL_ALLOWED_PARAMS = %i[
       email_subject
       email_body
@@ -128,6 +131,31 @@ def update_email
       redirect_to admin_user_path(@user)
     end
 
+    def update_profile
+      @user = User.find(params[:id])
+      previous_user_values = @user.slice(*ADMIN_PROFILE_USER_PARAMS)
+      previous_profile_values = (@user.profile || @user.build_profile).slice(*ADMIN_PROFILE_PROFILE_PARAMS)
+
+      update_result = Users::Update.call(@user,
+                                         user: admin_profile_user_params,
+                                         profile: admin_profile_params)
+
+      if update_result.success?
+        Note.create(
+          author_id: current_user.id,
+          noteable_id: @user.id,
+          noteable_type: "User",
+          reason: "admin_profile_update",
+          content: profile_update_note(previous_user_values, previous_profile_values),
+        )
+        flash[:success] = I18n.t("views.admin.users.edit_profile.success")
+      else
+        flash[:error] = update_result.errors_as_sentence
+      end
+
+      redirect_to admin_user_path(@user)
+    end
+
     def max_score
       @user = User.find(params[:id])
       max_score_value = user_params[:max_score]
@@ -580,6 +608,42 @@ def credit_params
       credit_params
     end
 
+    def admin_profile_user_params
+      params.require(:user).permit(ADMIN_PROFILE_USER_PARAMS)
+    end
+
+    def admin_profile_params
+      params.fetch(:profile, {}).permit(ADMIN_PROFILE_PROFILE_PARAMS)
+    end
+
+    def profile_update_note(previous_user_values, previous_profile_values)
+      changes = []
+      updated_user_values = @user.slice(*ADMIN_PROFILE_USER_PARAMS)
+      updated_profile_values = (@user.profile || @user.build_profile).slice(*ADMIN_PROFILE_PROFILE_PARAMS)
+
+      append_profile_change(changes, "name", previous_user_values["name"], updated_user_values["name"])
+      append_profile_change(changes, "username", previous_user_values["username"], updated_user_values["username"])
+      append_profile_change(changes, "summary", previous_profile_values["summary"], updated_profile_values["summary"])
+      append_profile_change(changes, "location", previous_profile_values["location"], updated_profile_values["location"])
+      append_profile_change(changes, "website_url", previous_profile_values["website_url"], updated_profile_values["website_url"])
+
+      if changes.empty?
+        "Admin #{current_user.username} submitted a profile update with no changes detected."
+      else
+        "Admin #{current_user.username} updated profile fields: #{changes.join('; ')}"
+      end
+    end
+
+    def append_profile_change(changes, label, previous_value, updated_value)
+      return if previous_value == updated_value
+
+      changes << "#{label}: #{format_profile_value(previous_value)} -> #{format_profile_value(updated_value)}"
+    end
+
+    def format_profile_value(value)
+      value.present? ? "'#{value}'" : "(blank)"
+    end
+
     def set_current_tab(current_tab = "overview")
       @current_tab = if current_tab.in? Constants::UserDetails::TAB_LIST.map(&:underscore)
                        current_tab

app/views/admin/users/show/profile/_actions.html.erb

@@ -13,6 +13,7 @@
         <% if @user.access_locked? %>
           <li><%= link_to t("views.admin.users.profile.locked.unlock"), unlock_access_admin_user_path(@user), method: :patch, class: "c-link c-link--block" %></li>
         <% end %>
+        <li><button type="button" class="c-btn w-100 align-left" data-modal-title="<%= t("views.admin.users.edit_profile.heading", user: @user.name) %>" data-modal-size="medium" data-modal-content-selector="#edit-profile"><%= t("views.admin.users.profile.options.edit_profile") %></button></li>
         <li><button type="button" class="c-btn w-100 align-left" data-modal-title="<%= t("views.admin.users.update_email.heading", user: @user.name) %>" data-modal-size="medium" data-modal-content-selector="#update-email"><%= t("views.admin.users.profile.options.update_email") %></button></li>
         <li><button type="button" class="c-btn w-100 align-left" data-modal-title="<%= t("views.admin.users.export.heading", user: @user.name) %>" data-modal-size="small" data-modal-content-selector="#export-data"><%= t("views.admin.users.profile.options.export") %></button></li>
         <li><button type="button" class="c-btn w-100 align-left" data-modal-title="<%= t("views.admin.users.merge.heading") %>" data-modal-size="small" data-modal-content-selector="#merge-accounts"><%= t("views.admin.users.profile.options.merge") %></button></li>
@@ -51,6 +52,7 @@
 <%# These are contents for modals %>
 <div class="hidden">
   <%= render "admin/users/show/profile/actions/export" %>
+  <%= render "admin/users/show/profile/actions/edit_profile" %>
   <%= render "admin/users/show/profile/actions/update_email" %>
   <%= render "admin/users/show/profile/actions/merge" %>
   <%= render "admin/users/modals/unpublish_modal" %>

app/views/admin/users/show/profile/actions/_edit_profile.html.erb

@@ -0,0 +1,34 @@
+<div id="edit-profile">
+  <%= form_for(@user, url: update_profile_admin_user_path(@user),
+                      html: { class: "flex flex-col gap-4", method: :patch }) do |f| %>
+    <div class="crayons-notice crayons-notice--warning">
+      <p><%= t("views.admin.users.edit_profile.notice") %></p>
+    </div>
+    <p><%= t("views.admin.users.edit_profile.desc_html", user: @user.name) %></p>
+    <div class="crayons-field">
+      <%= f.label :name, t("views.admin.users.edit_profile.name"), class: "crayons-field__label" %>
+      <%= f.text_field :name, class: "crayons-textfield", required: true %>
+    </div>
+    <div class="crayons-field">
+      <%= f.label :username, t("views.admin.users.edit_profile.username"), class: "crayons-field__label" %>
+      <%= f.text_field :username, class: "crayons-textfield", required: true %>
+    </div>
+    <%= fields_for :profile, (@user.profile || @user.build_profile) do |pf| %>
+      <div class="crayons-field">
+        <%= pf.label :summary, t("views.admin.users.edit_profile.summary"), class: "crayons-field__label" %>
+        <%= pf.text_area :summary, class: "crayons-textfield", rows: 4 %>
+      </div>
+      <div class="crayons-field">
+        <%= pf.label :location, t("views.admin.users.edit_profile.location"), class: "crayons-field__label" %>
+        <%= pf.text_field :location, class: "crayons-textfield" %>
+      </div>
+      <div class="crayons-field">
+        <%= pf.label :website_url, t("views.admin.users.edit_profile.website_url"), class: "crayons-field__label" %>
+        <%= pf.url_field :website_url, class: "crayons-textfield" %>
+      </div>
+    <% end %>
+    <div>
+      <%= f.button t("views.admin.users.edit_profile.submit"), class: "c-btn c-btn--primary", type: "submit" %>
+    </div>
+  <% end %>
+</div>

config/locales/views/admin/en.yml

@@ -356,13 +356,25 @@ en:
           visit: Visit profile
           options:
             icon: Options
+            edit_profile: Edit profile
             update_email: Update User Email
             export: Export data
             merge: Merge users
             unpublish: Unpublished all posts
             remove_social: Remove social accounts
             banish: Banish user
             delete: Delete user
+        edit_profile:
+          heading: Edit %{user}'s profile
+          desc_html: Changes you make here are immediately public on the user's profile.
+          notice: Be careful. These updates are public-facing and affect the user's account.
+          name: Name
+          username: Username
+          summary: Summary
+          location: Location
+          website_url: Website URL
+          submit: Save profile changes
+          success: Profile updated successfully.
         reports:
           subtitle: Reports submitted by %{user} (%{num})
           for_html: For %{url}

config/locales/views/admin/fr.yml

@@ -346,12 +346,24 @@ fr:
           visit: Visit profile
           options:
             icon: Options
+            edit_profile: Modifier le profil
             export: Export data
             merge: Merge users
             unpublish: Unpublished all posts
             remove_social: Remove social accounts
             banish: Banish user
             delete: Delete user
+        edit_profile:
+          heading: Modifier le profil de %{user}
+          desc_html: Les changements faits ici sont immédiatement publics sur le profil de l'utilisateur.
+          notice: Soyez prudent. Ces mises à jour sont visibles publiquement et affectent le compte de l'utilisateur.
+          name: Nom
+          username: Nom d'utilisateur
+          summary: Résumé
+          location: Localisation
+          website_url: URL du site
+          submit: Enregistrer les modifications du profil
+          success: Profil mis à jour avec succès.
         reports:
           subtitle: Reports submitted by %{user} (%{num})
           for_html: For %{url}

config/locales/views/admin/pt.yml

@@ -37,6 +37,20 @@ pt:
         email: E-mail
         username: Nome de usuário
         name: Nome
+        profile:
+          options:
+            edit_profile: Editar perfil
+          edit_profile:
+            heading: Editar perfil de %{user}
+            desc_html: As mudanças feitas aqui ficam imediatamente públicas no perfil do usuário.
+            notice: Tenha cuidado. Essas atualizações são públicas e afetam a conta do usuário.
+            name: Nome
+            username: Nome de usuário
+            summary: Resumo
+            location: Localização
+            website_url: URL do site
+            submit: Salvar alterações do perfil
+            success: Perfil atualizado com sucesso.
         bio: Biografia
         location: Localização
         website: Site

config/routes/admin.rb

@@ -51,6 +51,7 @@
         post "banish"
         patch "reputation_modifier"
         patch "max_score"
+        patch "update_profile"
         patch "update_email"
         post "export_data"
         post "full_delete"

spec/requests/admin/users_manage_spec.rb

@@ -175,6 +175,34 @@ def full_profile
       expect(Note.last.content).to eq("general note about whatever")
     end
 
+    it "updates profile fields and records a note" do
+      user.profile.update!(
+        summary: "Old summary",
+        location: "Old location",
+        website_url: "https://old.example.com",
+      )
+
+      patch update_profile_admin_user_path(user.id), params: {
+        user: { name: "New Name", username: "newuserhandle" },
+        profile: { summary: "New summary", location: "New location", website_url: "https://new.example.com" }
+      }
+
+      user.reload
+
+      expect(user.name).to eq("New Name")
+      expect(user.username).to eq("newuserhandle")
+      expect(user.profile.summary).to eq("New summary")
+      expect(user.profile.location).to eq("New location")
+      expect(user.profile.website_url).to eq("https://new.example.com")
+      expect(Note.last.reason).to eq("admin_profile_update")
+      expect(Note.last.content).to include("Admin #{super_admin.username} updated profile fields")
+      expect(Note.last.content).to include("name:")
+      expect(Note.last.content).to include("username:")
+      expect(Note.last.content).to include("summary:")
+      expect(Note.last.content).to include("location:")
+      expect(Note.last.content).to include("website_url:")
+    end
+
     it "remove credits from account" do
       create_list(:credit, 5, user: user)
       put admin_user_path(user.id), params: { user: { remove_credits: "3" } }