Split out permissions for assigning roles/groups and editing them

[ryanmitchell]

This PR adds new permissions for assigning roles and groups, seperate from editing them. This allows you to have users that can modify other users groups and roles, but not be able to change the groups or roles themselves.

As editing groups/roles is not dependent on viewing users, I moved it out of the view users permissions block.

I also added an update script so any roles that could previously edit roles/groups can now also assign them.

Fixes: statamic/ideas#474

[jasonvarga]

When editing a group, we should give the "roles" field the same treatment. At the moment it doesn't. You should only be able to assign the roles to the group if you have the assign_roles permission.

[ryanmitchell]

Yeah that makes sense, however the approach we'd take now would need to change if/once #6506 merges (you could use ensureFields on the blueprint at that point).

So happy to work on it now, but just highlighting it would need be changed later... what do you think?

[jasonvarga]

It would need to be updated in both places either way. Let's make the change here, and we can add a note in the other PR to update it.

[ryanmitchell]

@jasonvarga What about this ?

[ryanmitchell]

Just checking in to see if this change is sufficient, or if you need more?

[robdekort]

Just expressing my gratitude here for this PR! No more creating users for clients in the near future!

[jasonbradberry]

Thumbs up for this.

[what-the-diff]

• Added canAssignSuper prop to the role publish form.
• Hid roles and groups fields in user group publish forms if permissions are not present (assign roles/groups).
• Added canAssignRoles and canAssignGroups props to the users wizard component, which is used for creating new users as well as editing existing ones from within a modal window on other pages like entries or taxonomies where you can assign authorship of an item to another user by clicking their avatar image next to it's name in the sidebar list view, etc.. This will hide those fields when appropriate based on whether or not they have permission(s) that allow them access there (edit roles / edit user groups).
• Added tests for the store and update methods of roles
• Added tests for the store and update methods of user groups
• Added a new test case to the AddPerEntryPermissionsTest.php file
• The new test case checks that all roles are deleted after running tests

[jasonvarga]

Alrighty, I made some additions here:

• Added some server side checks instead of just relying on js
• Added tests around creating/editing groups/roles.
• Only super users can assign super permissions.
• Adjusted visibility of role/group fields in the user creation wizard
• A couple other little bits

Thanks for this PR, sorry about the delay.

[ryanmitchell]

Thanks for the changes and cleanup!

[robdekort]

Thanks you both!

[jonatanalvarsson]

This is great! Thanks! 🙏