Team admin admin

Admins now can designate other members as admins, and can also remove
admin permissions. Admins can also leave the team now, except for the
last admin.

Author: dutow

app/assets/stylesheets/components/settings.css

@@ -82,6 +82,7 @@
 .settings-page .button-primary,
 .settings-page .button-secondary,
 .settings-page .button-danger,
+.settings-page .button-danger-secondary,
 .settings-page input[type="submit"] {
   display: inline-flex;
   align-items: center;
@@ -304,7 +305,8 @@
   margin-left: var(--spacing-2);
 }
 
-.settings-page .member-list .button-secondary {
+.settings-page .member-list .button-secondary,
+.settings-page .member-list .button-danger-secondary {
   font-size: var(--font-size-xs);
   padding: var(--spacing-2) var(--spacing-3);
 }
@@ -382,3 +384,42 @@
   font-size: var(--font-size-sm);
   margin-top: var(--spacing-1);
 }
+
+/* Member management */
+.settings-page .member-list .member-item {
+  flex-wrap: nowrap;
+}
+
+.settings-page .member-list .member-info {
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-2);
+  flex: 1;
+  min-width: 0;
+}
+
+.settings-page .member-list .member-actions {
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-2);
+  flex-shrink: 0;
+}
+
+.settings-page .member-list .member-actions .hint {
+  font-size: var(--font-size-xs);
+  color: var(--color-text-secondary);
+  font-style: italic;
+}
+
+.settings-page .button-danger-secondary {
+  background: var(--color-bg-card);
+  color: var(--color-danger-text);
+  border-color: var(--color-border);
+}
+
+.settings-page .button-danger-secondary:hover {
+  border-color: var(--color-danger-text);
+  background: var(--color-danger-bg-hover);
+  box-shadow: var(--shadow-sm);
+  transform: translateY(-1px);
+}

app/controllers/settings/team_members_controller.rb

@@ -17,12 +17,39 @@ def create
       redirect_to settings_team_path(@team), alert: e.record.errors.full_messages.to_sentence
     end
 
+    def update
+      authorize_admin!
+      return if performed?
+
+      membership = @team.team_members.find(params[:id])
+      new_role = params[:role]
+
+      # Prevent admin from removing their own admin status
+      if membership.user_id == current_user.id && new_role == "member"
+        return redirect_to settings_team_path(@team), alert: "You cannot remove your own admin status"
+      end
+
+      # Prevent removing the last admin
+      if membership.admin? && new_role == "member" && @team.last_admin?(membership)
+        return redirect_to settings_team_path(@team), alert: "Cannot demote the last admin"
+      end
+
+      membership.update!(role: new_role)
+      redirect_to settings_team_path(@team), notice: "Member role updated"
+    rescue ActiveRecord::RecordInvalid => e
+      redirect_to settings_team_path(@team), alert: e.record.errors.full_messages.to_sentence
+    end
+
     def destroy
       membership = @team.team_members.find(params[:id])
 
       if membership.user_id == current_user.id
-        membership.destroy
-        redirect_to settings_teams_path, notice: "You left the team"
+        if @team.last_admin?(membership)
+          redirect_to settings_team_path(@team), alert: "You cannot leave as the last admin"
+        else
+          membership.destroy
+          redirect_to settings_teams_path, notice: "You left the team"
+        end
       else
         authorize_admin!
         return if performed?

app/views/settings/teams/show.html.slim

@@ -47,14 +47,22 @@
     - if @team_members.any?
       ul.member-list
         - @team_members.each do |member|
-          li
-            = member.user.aliases.first&.name || "User ##{member.user.id}"
-            - if member.role_admin?
-              span.role-badge Admin
-            - if @can_manage && member.user_id != current_user&.id
-              = button_to "Remove", settings_team_team_member_path(@team, member), method: :delete, class: "button-secondary", data: { turbo_confirm: "Remove this member?" }
-            - if member.user_id == current_user&.id && !member.role_admin?
-              = button_to "Leave team", settings_team_team_member_path(@team, member), method: :delete, class: "button-secondary", data: { turbo_confirm: "Leave this team?" }
+          li.member-item
+            .member-info
+              = member.user.aliases.first&.name || "User ##{member.user.id}"
+              - if member.role_admin?
+                span.role-badge Admin
+            .member-actions
+              - if @can_manage && member.user_id != current_user&.id
+                - if member.role_admin?
+                  = button_to "Make member", settings_team_team_member_path(@team, member), method: :patch, params: { role: "member" }, class: "button-secondary", data: { turbo_confirm: "Demote this admin to regular member?" }
+                - else
+                  = button_to "Make admin", settings_team_team_member_path(@team, member), method: :patch, params: { role: "admin" }, class: "button-secondary"
+                = button_to "Remove", settings_team_team_member_path(@team, member), method: :delete, class: "button-danger-secondary", data: { turbo_confirm: "Remove this member from the team?" }
+              - elsif member.user_id == current_user&.id
+                - if member.role_admin?
+                  span.hint You cannot change your own admin status
+                = button_to "Leave team", settings_team_team_member_path(@team, member), method: :delete, class: "button-secondary", data: { turbo_confirm: "Leave this team?" }
     - else
       p No members yet.
 

config/routes.rb

@@ -29,7 +29,7 @@
     resource :deletion, only: [:show, :create]
 
     resources :teams, only: [:index, :show, :create, :update, :destroy] do
-      resources :team_members, only: [:create, :destroy]
+      resources :team_members, only: [:create, :update, :destroy]
     end
 
     resource :username, only: [:update]

spec/requests/team_members_spec.rb

@@ -46,4 +46,80 @@ def attach_verified_alias(user, email:, primary: true)
       expect(response).to redirect_to(settings_team_path(team))
     end
   end
+
+  describe "PATCH /teams/:team_id/team_members/:id" do
+    it "blocks non-admins from changing roles" do
+      attach_verified_alias(member, email: "member@example.com")
+      sign_in(email: "member@example.com")
+
+      member_record = team.team_members.find_by(user: member)
+      patch settings_team_team_member_path(team, member_record), params: { role: "admin" }
+
+      expect(response).to redirect_to(settings_team_path(team))
+      expect(member_record.reload.role).to eq("member")
+    end
+
+    it "allows admins to promote members to admin" do
+      attach_verified_alias(admin, email: "admin@example.com")
+      sign_in(email: "admin@example.com")
+
+      member_record = team.team_members.find_by(user: member)
+      patch settings_team_team_member_path(team, member_record), params: { role: "admin" }
+
+      expect(response).to redirect_to(settings_team_path(team))
+      expect(member_record.reload.role).to eq("admin")
+    end
+
+    it "allows admins to demote other admins to members" do
+      attach_verified_alias(admin, email: "admin@example.com")
+      sign_in(email: "admin@example.com")
+
+      other_admin = create(:user, password: "secret", password_confirmation: "secret")
+      other_admin_record = create(:team_member, team: team, user: other_admin, role: "admin")
+
+      patch settings_team_team_member_path(team, other_admin_record), params: { role: "member" }
+
+      expect(response).to redirect_to(settings_team_path(team))
+      expect(other_admin_record.reload.role).to eq("member")
+    end
+
+    it "prevents admin from removing their own admin status" do
+      attach_verified_alias(admin, email: "admin@example.com")
+      sign_in(email: "admin@example.com")
+
+      admin_record = team.team_members.find_by(user: admin)
+      patch settings_team_team_member_path(team, admin_record), params: { role: "member" }
+
+      expect(response).to redirect_to(settings_team_path(team))
+      expect(flash[:alert]).to include("cannot remove your own admin status")
+      expect(admin_record.reload.role).to eq("admin")
+    end
+
+    it "prevents demoting the last admin when there are two admins and one tries to demote the other after becoming the only admin" do
+      # Create a second admin who will try to demote the first
+      other_admin = create(:user, password: "secret", password_confirmation: "secret")
+      attach_verified_alias(other_admin, email: "other_admin@example.com")
+      create(:team_member, team: team, user: other_admin, role: "admin")
+
+      sign_in(email: "other_admin@example.com")
+
+      # Demote the first admin - this should work since there are 2 admins
+      admin_record = team.team_members.find_by(user: admin)
+      patch settings_team_team_member_path(team, admin_record), params: { role: "member" }
+      expect(admin_record.reload.role).to eq("member")
+
+      # Now other_admin is the only admin
+      # Try to demote them using the first admin (now just a member, so should fail authorization)
+      attach_verified_alias(admin, email: "admin@example.com")
+      sign_in(email: "admin@example.com")
+
+      other_admin_record = team.team_members.find_by(user: other_admin)
+      patch settings_team_team_member_path(team, other_admin_record), params: { role: "member" }
+
+      expect(response).to redirect_to(settings_team_path(team))
+      expect(flash[:alert]).to eq("Admins only")
+      expect(other_admin_record.reload.role).to eq("admin")
+    end
+
+  end
 end