Add assistant users (#209)

* Bump ruby-saml from 1.18.0 to 1.18.1

Bumps [ruby-saml](https://github.com/saml-toolkits/ruby-saml) from 1.18.0 to 1.18.1.
- [Release notes](https://github.com/saml-toolkits/ruby-saml/releases)
- [Changelog](https://github.com/SAML-Toolkits/ruby-saml/blob/master/CHANGELOG.md)
- [Commits](SAML-Toolkits/ruby-saml@v1.18.0...v1.18.1)

---
updated-dependencies:
- dependency-name: ruby-saml
  dependency-version: 1.18.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* add assistant user perms

* sec updates

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Vijay Swamidass <[email protected]>

Author: 3 people

Gemfile.lock

@@ -271,11 +271,11 @@ GEM
       net-protocol
     nio4r (2.7.4)
     nkf (0.2.0)
-    nokogiri (1.18.8-arm64-darwin)
+    nokogiri (1.18.9-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-darwin)
+    nokogiri (1.18.9-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-gnu)
+    nokogiri (1.18.9-x86_64-linux-gnu)
       racc (~> 1.4)
     nori (2.7.1)
       bigdecimal
@@ -430,7 +430,7 @@ GEM
       parser (>= 3.3.7.2)
       prism (~> 1.4)
     ruby-progressbar (1.13.0)
-    ruby-saml (1.18.0)
+    ruby-saml (1.18.1)
       nokogiri (>= 1.13.10)
       rexml
     rubyzip (2.4.1)
@@ -488,7 +488,7 @@ GEM
       railties (>= 7.0.0)
     tailwindcss-rails (2.7.9-x86_64-linux)
       railties (>= 7.0.0)
-    thor (1.3.2)
+    thor (1.4.0)
     tiktoken_ruby (0.0.11.1-arm64-darwin)
     tiktoken_ruby (0.0.11.1-x86_64-darwin)
     tiktoken_ruby (0.0.11.1-x86_64-linux)

app/controllers/assistant_users_controller.rb

@@ -0,0 +1,54 @@
+class AssistantUsersController < ApplicationController
+  before_action :set_assistant_user, only: %i[destroy]
+
+  def new
+    @assistant = Assistant.find(params[:assistant_id])
+    @assistant_user = @assistant.assistant_users.build
+
+    authorize @assistant_user
+  end
+
+  def index
+    @assistant = Assistant.find(params[:assistant_id])
+    @users = @assistant.users
+
+    respond_to do |format|
+      format.html # renders users.html.erb
+      format.json { render json: @users }
+    end
+  end
+
+  def create
+    @assistant = Assistant.find(params[:assistant_id])
+    @assistant_user = @assistant.assistant_users.build(assistant_user_params)
+
+    authorize @assistant_user
+
+    if @assistant_user.save
+      redirect_to assistant_assistant_users_path(@assistant), notice: 'Assistant user was successfully created.'
+    else
+      render :new
+    end
+  end
+
+  def destroy
+    authorize @assistant_user
+
+    @assistant_user.destroy!
+
+    respond_to do |format|
+      format.html { redirect_to assistant_assistant_users_path(@assistant_user.assistant_id), notice: 'Assistant user removed.' }
+      format.json { head :no_content }
+    end
+  end
+
+  private
+
+  def set_assistant_user
+    @assistant_user = AssistantUser.find_by(user_id: params[:id], assistant_id: params[:assistant_id])
+  end
+
+  def assistant_user_params
+    params.require(:assistant_user).permit(:user_id)
+  end
+end

app/controllers/assistants_controller.rb

@@ -1,5 +1,5 @@
 class AssistantsController < BaseAssistantsController
-  before_action :set_assistant, only: %i[show edit update destroy]
+  before_action :set_assistant, only: %i[show edit update destroy users]
 
   # GET /assistants/1 or /assistants/1.json
   def show
@@ -26,4 +26,9 @@ def clone
     # Render the 'new' view, which will now be used for cloning/editing
     render :new
   end
+
+  # GET /assistants/1/users
+  def users
+    redirect_to assistant_assistant_users_path(@assistant)
+  end
 end

app/controllers/base_assistants_controller.rb

@@ -49,6 +49,8 @@ def update
 
   # DELETE /assistants/1 or /assistants/1.json
   def destroy
+    authorize @assistant
+    
     @assistant.destroy!
 
     respond_to do |format|

app/models/assistant.rb

@@ -4,6 +4,9 @@ class Assistant < ApplicationRecord
   has_many :chats, dependent: :destroy
   belongs_to :user
   belongs_to :library, optional: true
+
+  has_many :assistant_users, dependent: :destroy
+  has_many :users, through: :assistant_users
   enum status: { development: 0, ready: 1 }
   validates :name, presence: true
   validates :slack_channel_name, uniqueness: true, allow_blank: true

app/models/assistant_user.rb

@@ -0,0 +1,6 @@
+class AssistantUser < ApplicationRecord
+  belongs_to :user
+  belongs_to :assistant
+
+  enum role: { admin: 0, editor: 1 }
+end

app/models/user.rb

@@ -13,6 +13,9 @@ class User < ApplicationRecord
   has_many :owned_libraries, class_name: 'Library', foreign_key: 'user_id'
   has_many :owned_assistants, class_name: 'Assistant', foreign_key: 'user_id'
 
+  has_many :assistant_users
+  has_many :assistants, through: :assistant_users
+
   private
 
   def password_strength

app/policies/assistant_policy.rb

@@ -14,7 +14,18 @@ def create?
   end
 
   def update?
-    user.admin? || user.editor? || assistant.user_id == user.id
+    user.admin? || user.editor? || assistant.user_id == user.id || user_is_assistant_editor?
+  end
+
+  def edit?
+    update?
+  end
+
+  private
+
+  def user_is_assistant_editor?
+    assistant_user = AssistantUser.find_by(user: user, assistant: assistant)
+    assistant_user&.editor? || assistant_user&.admin?
   end
 
   def destroy?

app/policies/assistant_user_policy.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+class AssistantUserPolicy < ApplicationPolicy
+  attr_reader :user, :assistant_user
+
+  def initialize(user, assistant_user)
+    @user = user
+    @assistant_user = assistant_user
+  end
+
+  # Allow assistant owner to update other users on the assistant
+  def create?
+    user.admin? || user.editor? || @assistant_user.assistant.user_id == @user.id
+  end
+
+  def destroy?
+    create?
+  end
+
+  def update?
+    false
+  end
+end

app/views/assistant_users/index.html.erb

@@ -0,0 +1,26 @@
+<%= render partial: 'shared/breadcrumb', locals: { breadcrumbs: [['Home', root_path], [@assistant.name, assistant_path(@assistant)], ['Users', nil]] } %>
+
+<div class="flex justify-between items-center py-2">
+  <h1 class="font-bold text-3xl text-sky-800">Users</h1>
+  <% if policy(@assistant).update? %>
+    <%= render partial: 'shared/button_group', locals: { buttons: { "New" => new_assistant_assistant_user_path(@assistant) } } %>
+  <% end %>
+</div>
+<div class="bg-white shadow-md rounded-lg overflow-hidden">
+  <div class="grid grid-cols-3 gap-4 p-4 bg-gray-200 font-semibold">
+    <div>Email</div>
+    <div>Role</div>
+    <div>Actions</div>
+  </div>
+  <% @users.each do |user| %>
+    <div class="grid grid-cols-3 gap-4 p-4 border-b border-gray-200">
+      <div><%= user.email %></div>
+      <div><%= user.assistant_users.find_by(assistant: @assistant).role.capitalize %></div>
+      <div>
+        <% if policy(@assistant).update? %>
+          <%= button_to 'Delete', assistant_assistant_user_path(@assistant, user), method: :delete, data: { confirm: 'Are you sure?' }, class: "text-red-600" %>
+        <% end %>
+      </div>
+    </div>
+  <% end %>
+</div>