Fix various in the user role management UI (#18777)

* Reword priority description

* Disable checkboxes for permissions you can't enable in role edition interface

* Set max priority in HTML attribute

* Explicitly link to role edition, do not link when you can't edit

* Reword priority description based on review

app/views/admin/roles/_form.html.haml

@@ -9,7 +9,7 @@
       = f.input :name, wrapper: :with_label
 
     .fields-group
-      = f.input :position, wrapper: :with_label
+      = f.input :position, wrapper: :with_label, input_html: { max: current_user.role.position - 1 }
 
     .fields-group
       = f.input :color, wrapper: :with_label, input_html: { placeholder: '#000000' }
@@ -29,7 +29,7 @@
     - (@role.everyone? ? UserRole::Flags::CATEGORIES.slice(:invites) : UserRole::Flags::CATEGORIES).each do |category, permissions|
       %h4= t(category, scope: 'admin.roles.categories')
 
-      = f.input :permissions_as_keys, collection: permissions, wrapper: :with_block_label, include_blank: false, label_method: lambda { |privilege| safe_join([t("admin.roles.privileges.#{privilege}"), content_tag(:span, t("admin.roles.privileges.#{privilege}_description"), class: 'hint')]) }, required: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li', label: false, hint: false
+      = f.input :permissions_as_keys, collection: permissions, wrapper: :with_block_label, include_blank: false, label_method: lambda { |privilege| safe_join([t("admin.roles.privileges.#{privilege}"), content_tag(:span, t("admin.roles.privileges.#{privilege}_description"), class: 'hint')]) }, required: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li', label: false, hint: false, disabled: permissions.filter { |privilege| UserRole::FLAGS[privilege] & current_user.role.computed_permissions == 0 }
 
   %hr.spacer/
 

app/views/admin/roles/_role.html.haml

@@ -1,12 +1,22 @@
 .announcements-list__item
-  = link_to edit_admin_role_path(role), class: 'announcements-list__item__title' do
-    %span.user-role{ class: "user-role-#{role.id}" }
-      = fa_icon 'users fw'
+  - if can?(:update, role)
+    = link_to edit_admin_role_path(role), class: 'announcements-list__item__title' do
+      %span.user-role{ class: "user-role-#{role.id}" }
+        = fa_icon 'users fw'
 
-      - if role.everyone?
-        = t('admin.roles.everyone')
-      - else
-        = role.name
+        - if role.everyone?
+          = t('admin.roles.everyone')
+        - else
+          = role.name
+  - else
+    %span.announcements-list__item__title
+      %span.user-role{ class: "user-role-#{role.id}" }
+        = fa_icon 'users fw'
+
+        - if role.everyone?
+          = t('admin.roles.everyone')
+        - else
+          = role.name
 
   .announcements-list__item__action-bar
     .announcements-list__item__meta
@@ -16,3 +26,5 @@
         = link_to t('admin.roles.assigned_users', count: role.users.count), admin_accounts_path(role_ids: role.id)
         •
         %abbr{ title: role.permissions_as_keys.map { |privilege| I18n.t("admin.roles.privileges.#{privilege}") }.join(', ') }= t('admin.roles.permissions_count', count: role.permissions_as_keys.size)
+    %div
+      = table_link_to 'pencil', t('admin.accounts.edit'), edit_admin_role_path(role) if can?(:update, role)

config/locales/simple_form.en.yml

@@ -102,7 +102,7 @@ en:
         highlighted: This makes the role publicly visible
         name: Public name of the role, if role is set to be displayed as a badge
         permissions_as_keys: Users with this role will have access to...
-        position: Higher role decides conflict resolution in certain situations
+        position: Higher role decides conflict resolution in certain situations. Certain actions can only be performed on roles with alower priority
       webhook:
         events: Select events to send
         url: Where events will be sent to