1034 replace staffaccount (#1039)

* Remove staff account relation with organization

* Copy deactivated_at logic from StaffAccount to User

* Create UserPolicy in lieu of StaffAccountPolicy

* Refactor verify_active_staff to remove staff_account logic

* Create UserPolicy test

* Refactor the staff index route action logic

* Remove unused routes deactivation routes

* Change http request type from post to put for accuracy

* Remove useless staff_account conditional

* Refactor deactivation logic

* Refactor staff_account conditionals

* Refactor organization_staff class method for role logic

* Remove staff_account logic from service

* Add organization to role assignment in service

* Remove more staff_account references

* Drop staff_accounts

* Refactor the conditionals on the adoptable pets page

* Fix localization ref

* Remove optional Person from User

* Fail loudly on activation changes

* Fix this test implementation to actually test OrganizationPolicy

* Fix incorrect usage of tenancy in test

* Remove unused instance variables

* Remove unnecessary organization method as AdopterApp has org association

* Define organization for verify_active_staff check

* Move staff? check to user model

* Move role method to authorizable concern

* Add flash message for updating activation

* Remove old references to staff_account

* Loudly fail activation updates

* Replace staff_account activation logic

app/controllers/organizations/adopter_fosterer/adopter_applications_controller.rb

@@ -19,7 +19,7 @@ def create
         notice: t(".success", message: MessagesHelper.affirmations.sample)
 
       # mailer
-      @org_staff = User.organization_staff(@pet.organization_id)
+      @org_staff = User.staff
       StaffApplicationNotificationMailer.with(pet: @pet,
         organization_staff: @org_staff)
         .new_adoption_application.deliver_now

app/controllers/organizations/staff/invitations_controller.rb

@@ -21,7 +21,6 @@ def create
         user_params.merge(password: SecureRandom.hex(8)).except(:roles)
       )
       @user.add_role(user_params[:roles], Current.organization)
-      @user.build_staff_account
 
       if @user.save
         @user.invite!(current_user)

app/controllers/organizations/staff/staff_controller.rb

@@ -1,43 +1,35 @@
 class Organizations::Staff::StaffController < Organizations::BaseController
-  before_action :set_staff_account, only: [:deactivate, :activate, :update_activation]
+  before_action :set_staff, only: [:update_activation]
 
   layout "dashboard"
 
   def index
-    authorize! StaffAccount, context: {organization: Current.organization}
+    authorize! User, context: {organization: Current.organization}
 
-    @staff_accounts = authorized_scope(StaffAccount.all)
+    @staff = authorized_scope(User.staff)
   end
 
-  def deactivate
-    @staff_account.deactivate
-    respond_to do |format|
-      format.html { redirect_to staff_staff_index_path, notice: t(".success") }
-      format.turbo_stream { render "organizations/staff/staff/update" }
+  def update_activation
+    if @staff.deactivated_at
+      @staff.activate
+    else
+      @staff.deactivate
     end
-  end
 
-  def activate
-    @staff_account.activate
     respond_to do |format|
-      format.html { redirect_to staff_staff_index_path, notice: t(".success") }
-      format.turbo_stream { render "organizations/staff/staff/update" }
-    end
-  end
-
-  def update_activation
-    if @staff_account.deactivated_at
-      activate
-    else
-      deactivate
+      success = @staff.deactivated_at.nil? ?
+        t(".activated", staff: @staff.full_name) :
+        t(".deactivated", staff: @staff.full_name)
+      format.html { redirect_to staff_staff_index_path, notice: success }
+      format.turbo_stream { flash.now[:notice] = success }
     end
   end
 
   private
 
-  def set_staff_account
-    @staff_account = StaffAccount.find(params[:staff_id])
+  def set_staff
+    @staff = User.find(params[:staff_id])
 
-    authorize! @staff_account
+    authorize! @staff
   end
 end

app/controllers/registrations_controller.rb

@@ -24,7 +24,7 @@ def create
   private
 
   def set_layout
-    if current_user&.staff_account
+    if allowed_to?(:index?, with: Organizations::DashboardPolicy, context: {organization: Current.organization})
       "dashboard"
     elsif allowed_to?(:index?, with: Organizations::AdopterFosterDashboardPolicy, context: {organization: Current.organization})
       "adopter_foster_dashboard"

app/models/concerns/authorizable.rb

@@ -9,6 +9,10 @@ def permission?(name)
     permissions.include?(name)
   end
 
+  def staff?(organization)
+    has_role?("super_admin", organization) || has_role?("admin", organization)
+  end
+
   ADOPTER_PERMISSIONS = %i[
     view_adopter_foster_dashboard
     create_adopter_applications

app/models/organization.rb

@@ -25,8 +25,7 @@ class Organization < ApplicationRecord
   # Rolify resource
   resourcify
 
-  has_many :staff_accounts
-  has_many :users, through: :staff_accounts
+  has_many :users
   has_many :pets
   has_many :default_pet_tasks
   has_many :forms, class_name: "CustomForm::Form", dependent: :destroy

app/models/user.rb

@@ -3,6 +3,7 @@
 # Table name: users
 #
 #  id                     :bigint           not null, primary key
+#  deactivated_at         :datetime
 #  email                  :string           default(""), not null
 #  encrypted_password     :string           default(""), not null
 #  first_name             :string           not null
@@ -22,7 +23,7 @@
 #  updated_at             :datetime         not null
 #  invited_by_id          :bigint
 #  organization_id        :bigint
-#  person_id              :bigint
+#  person_id              :bigint           not null
 #
 # Indexes
 #
@@ -66,22 +67,16 @@ class User < ApplicationRecord
   # validates :tos_agreement, acceptance: {message: "Please accept the Terms and Conditions"},
   #   allow_nil: false, on: :create
 
-  has_one :staff_account, dependent: :destroy
-
-  # Once we've migrated the existing data to connect a user to a person,
-  # we should remove the optional: true part
-  belongs_to :person, optional: true
+  belongs_to :person
 
   before_validation :ensure_person_exists, on: :create
 
   before_save :downcase_email
 
   delegate :latest_form_submission, to: :person
 
-  # get user accounts for staff in a given organization
-  def self.organization_staff(org_id)
-    User.includes(:staff_account)
-      .where(staff_account: {organization_id: org_id})
+  def self.staff
+    joins(:roles).where(roles: {name: %i[admin super_admin]})
   end
 
   def self.ransackable_attributes(auth_object = nil)
@@ -98,11 +93,11 @@ def custom_messages(attribute)
   end
 
   def active_for_authentication?
-    super && !staff_account&.deactivated_at
+    super && !deactivated?
   end
 
   def inactive_message
-    staff_account.deactivated_at ? :deactivated : super
+    deactivated? ? :deactivated : super
   end
 
   def ensure_person_exists
@@ -132,6 +127,18 @@ def name_initials
     full_name.split.map { |part| part[0] }.join.upcase
   end
 
+  def deactivate
+    update!(deactivated_at: Time.now) unless deactivated_at
+  end
+
+  def activate
+    update!(deactivated_at: nil) if deactivated_at
+  end
+
+  def deactivated?
+    !!deactivated_at
+  end
+
   private
 
   def downcase_email

app/policies/application_policy.rb

@@ -34,8 +34,8 @@ def verify_organization!
   end
 
   def verify_active_staff!
-    deny! unless user.staff_account
-    deny! if user.staff_account.deactivated?
+    deny! unless user.staff?(organization)
+    deny! if user.deactivated?
   end
 
   def permission?(name)

app/policies/organizations/adopter_application_policy.rb

@@ -7,10 +7,4 @@ class Organizations::AdopterApplicationPolicy < ApplicationPolicy
   def manage?
     permission?(:review_adopter_applications)
   end
-
-  private
-
-  def organization
-    @organization || record.pet.organization
-  end
 end

app/policies/organizations/organization_policy.rb

@@ -5,5 +5,11 @@ class OrganizationPolicy < ApplicationPolicy
     def manage?
       permission?(:manage_organization)
     end
+
+    private
+
+    def organization
+      record
+    end
   end
 end

app/policies/organizations/user_policy.rb

@@ -0,0 +1,12 @@
+class Organizations::UserPolicy < ApplicationPolicy
+  pre_check :verify_organization!
+  pre_check :verify_active_staff!
+
+  def index?
+    permission?(:manage_staff)
+  end
+
+  def update_activation?
+    permission?(:activate_staff) && record.id != user.id
+  end
+end

app/services/organizations/create_service.rb

@@ -32,8 +32,7 @@ def signal(args)
         args[:user][:first_name],
         args[:user][:last_name]
       )
-      create_staff_account
-      add_super_admin_role_to_staff_account
+      add_super_admin_role_to_user
       send_email
       create_custom_page
     end
@@ -63,19 +62,10 @@ def create_user(email, first_name, last_name)
     end
   end
 
-  def create_staff_account
-    ActsAsTenant.with_tenant(@organization) do
-      @staff_account = StaffAccount.create!(
-        organization_id: @organization.id,
-        user_id: @user.id
-      )
-    end
-  end
-
-  def add_super_admin_role_to_staff_account
-    @user.add_role(:super_admin)
+  def add_super_admin_role_to_user
+    @user.add_role(:super_admin, @organization)
 
-    if !@user.has_role?(:super_admin)
+    if !@user.has_role?(:super_admin, @organization)
       raise StandardError, "Failed to add super admin role"
     end
   end

app/views/layouts/dashboard/_sidebar.html.erb

@@ -56,7 +56,7 @@
           <i class="nav-icon fe fe-users me-2"></i>Adopters
         <% end %>
       </li>
-      <% if allowed_to?(:index?, StaffAccount, namespace: Organizations,context: {organization: Current.organization})%>
+      <% if allowed_to?(:index?, User, namespace: Organizations, context: {organization: Current.organization})%>
         <li class="nav-item">
           <%= active_link_to staff_staff_index_path, class: "nav-link" do %>
             <i class="nav-icon fe fe-users me-2"></i>Staff