org settings edge case validations

[bantic]

the UI should enforce these where feasible, and the server must enforce all of these

• [x] We don't ever want to allow an organization to exist without at least 1 privileged user present. Cannot de-privilege a role if doing so means there will be no users belonging to privileged roles. (https://github.com/aptible/auth.aptible.com/pull/149)
  • Cannot delete/de-privilege last privileged role
  • Cannot delete/de-privilege a role if all other privileged roles have 0 users
• [x] Cannot delete a role if any of its users belong to no other roles. (This would effectively remove those users from the organization) (https://github.com/aptible/auth.aptible.com/pull/149)
• [x] Should not be able to remove all of a user's roles (when editing a user). (Fixed in #236)

Use cases:

• Bob is a member of the privileged Bishops role. The Bishops role has no other members. There are no other roles.
  • Bob cannot de-privilege the Bishops role
  • Bob cannot remove himself from Bishops
  • Bob cannot destroy the Bishops role
• Bob is a member of the privileged Bishops role. The Bishops role has no other members. Mike is a member of the privileged Knights role.
  • Bob cannot de-privilege the Bishops role
  • Bob cannot remove himself from Bishops
  • Bob cannot destroy the Bishops role
  • Bob can de-privileged the Knights role
  • Bob can remove Mike from the Knights role
  • Bob cannot destroy the Knights role
• Bob is a member of the privileged Bishops role. Sam is a member of the privileged Bishops role.
  • Bob cannot de-privilege himself
  • Bob cannot remove himself from Bishops
  • Bob cannot destroy the Bishops role
  • Bob can remove Sam from Bishops
• Bob is a member of the privileged Bishops role. The Bishops role has no other members. Sam and Mike is a member of the privileged Knights role.
  • Bob cannot de-privilege the Bishops role
  • Bob cannot remove himself from Bishops
  • Bob cannot destroy the Bishops role
  • Bob can de-privileged the Knights role
  • Bob can remove Mike from the Knights role
  • Bob can remove Sam from the Knights role
  • Bob cannot destroy the Knights role
• Bob is a member of the privileged Bishops role. The Bishops role has no other members. Mike is a member of the privileged Knights role, and a member of the privileged Rooks role.
  • Bob cannot de-privilege the Bishops role
  • Bob cannot remove himself from Bishops
  • Bob cannot destroy the Bishops role
  • Bob can de-privileged the Knights role
  • Bob can remove Mike from the Knights role
  • Bob can remove Mike from the Rooks role
  • Bob cannot destroy the Knights role
• Bob is a member of the privileged Bishops role. Mike is a member of the privileged Bishops role, and a member of the privileged Knights role.
  • Bob cannot de-privilege the Bishops role
  • Bob cannot remove himself from Bishops
  • Bob cannot destroy the Bishops role
  • Bob can de-privileged the Knights role
  • Bob can remove Mike from the Bishops role
  • Bob can remove Mike from the Knights role
  • Bob can destroy the Knights role
• Bob is a member of the privileged Bishops role, and a member of privileged Knights.
  • Bob can de-privilege the Bishops role
  • Bob can remove himself from Bishops
  • Bob can destroy the Bishops role
  • Bob can de-privilege the Knights role
  • Bob can remove himself from Knights
  • Bob can destroy the Knights role

[bantic]

an alternative to the first item above (not allowing an org to exist w/out >= 1 privileged user) would be to simply not allow a user to take an action that would remove their own privileged status:

• do not allow a user to delete/de-privilege a role if that user doesn't belong to another privileged role

[mixonic]

I believe disallowing a user from de-privileging themselves might be much easier to message on the client-side, and cover much of the surface involved in this ticket.

[fancyremarker]

@sandersonet / @mixonic / @bantic: Is this done?

[skylar-anderson]

I'll test to confirm and close if so.