Remove Primary Contact from users editing screen (#2856)

console-webapp/src/app/users/userEditForm.component.html

@@ -29,7 +29,7 @@
           ></mat-label
         >
         <mat-select [(ngModel)]="user().role" name="userRole">
-          <mat-option value="PRIMARY_CONTACT">Editor</mat-option>
+          <mat-option value="TECH_CONTACT">Editor</mat-option>
           <mat-option value="ACCOUNT_MANAGER">Viewer</mat-option>
         </mat-select>
       </mat-form-field>

core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java

@@ -17,6 +17,7 @@ package google.registry.ui.server.console;
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static google.registry.model.console.RegistrarRole.ACCOUNT_MANAGER;
+import static google.registry.model.console.RegistrarRole.TECH_CONTACT;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.DELETE;
 import static google.registry.request.Action.Method.GET;
@@ -152,7 +153,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
     updateUserRegistrarRoles(
         this.userData.get().emailAddress,
         registrarId,
-        RegistrarRole.valueOf(this.userData.get().role));
+        requestRoleToAllowedRoles(this.userData.get().role));
 
     sendConfirmationEmail(registrarId, this.userData.get().emailAddress, "Added existing user");
     consoleApiParams.response().setStatus(SC_OK);
@@ -222,11 +223,9 @@ public class ConsoleUsersAction extends ConsoleApiAction {
       throw e;
     }
 
+    RegistrarRole newRole = requestRoleToAllowedRoles(userData.get().role);
     UserRoles userRoles =
-        new UserRoles.Builder()
-            .setRegistrarRoles(
-                ImmutableMap.of(registrarId, RegistrarRole.valueOf(userData.get().role)))
-            .build();
+        new UserRoles.Builder().setRegistrarRoles(ImmutableMap.of(registrarId, newRole)).build();
 
     User.Builder builder = new User.Builder().setUserRoles(userRoles).setEmailAddress(newEmail);
     tm().put(builder.build());
@@ -238,9 +237,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
         .setPayload(
             consoleApiParams
                 .gson()
-                .toJson(
-                    new UserData(
-                        newEmail, null, ACCOUNT_MANAGER.toString(), newUser.getPassword())));
+                .toJson(new UserData(newEmail, null, newRole.toString(), newUser.getPassword())));
     finishAndPersistConsoleUpdateHistory(
         new ConsoleUpdateHistory.Builder()
             .setType(ConsoleUpdateHistory.Type.USER_CREATE)
@@ -257,7 +254,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
     updateUserRegistrarRoles(
         this.userData.get().emailAddress,
         registrarId,
-        RegistrarRole.valueOf(this.userData.get().role));
+        requestRoleToAllowedRoles(this.userData.get().role));
 
     sendConfirmationEmail(registrarId, this.userData.get().emailAddress, "Updated user");
     consoleApiParams.response().setStatus(SC_OK);
@@ -333,6 +330,11 @@ public class ConsoleUsersAction extends ConsoleApiAction {
                     .collect(toImmutableList()));
   }
 
+  /** Maps a request role string to a RegistrarRole, using ACCOUNT_MANAGER as the default. */
+  private RegistrarRole requestRoleToAllowedRoles(String role) {
+    return TECH_CONTACT.name().equals(role) ? TECH_CONTACT : ACCOUNT_MANAGER;
+  }
+
   private boolean sendConfirmationEmail(String registrarId, String emailAddress, String operation) {
     Optional<Registrar> registrar = Registrar.loadByRegistrarId(registrarId);
     if (registrar.isEmpty()) { // Shouldn't happen, but worth checking

core/src/test/java/google/registry/ui/server/console/ConsoleUsersActionTest.java

@@ -170,7 +170,26 @@ class ConsoleUsersActionTest extends ConsoleActionBaseTestCase {
         createAction(
             Optional.of(ConsoleApiParamsUtils.createFake(authResult)),
             Optional.of("POST"),
-            Optional.of(new UserData("lol", null, RegistrarRole.ACCOUNT_MANAGER.toString(), null)));
+            Optional.of(new UserData("lol", null, RegistrarRole.TECH_CONTACT.name(), null)));
+    action.cloudTasksUtils = cloudTasksHelper.getTestCloudTasksUtils();
+    when(directory.users()).thenReturn(users);
+    when(users.insert(any(com.google.api.services.directory.model.User.class))).thenReturn(insert);
+    action.run();
+    assertThat(response.getStatus()).isEqualTo(SC_CREATED);
+    assertThat(response.getPayload())
+        .contains(
+            "{\"emailAddress\":\"lol.TheRegistrar@email.com\",\"role\":\"TECH_CONTACT\",\"password\":\"abcdefghijklmnop\"}");
+  }
+
+  @Test
+  void testSuccess_roleEnforcementCreate() throws IOException {
+    User user = DatabaseHelper.createAdminUser("email@email.com");
+    AuthResult authResult = AuthResult.createUser(user);
+    ConsoleUsersAction action =
+        createAction(
+            Optional.of(ConsoleApiParamsUtils.createFake(authResult)),
+            Optional.of("POST"),
+            Optional.of(new UserData("lol", null, RegistrarRole.PRIMARY_CONTACT.name(), null)));
     action.cloudTasksUtils = cloudTasksHelper.getTestCloudTasksUtils();
     when(directory.users()).thenReturn(users);
     when(users.insert(any(com.google.api.services.directory.model.User.class))).thenReturn(insert);