From bb8a37a9cc5a287b76b6ab58e78ed9f46242a5af Mon Sep 17 00:00:00 2001
From: Shana Moore <shana@scientist.com>
Date: Tue, 14 Jan 2025 12:09:40 -0800
Subject: [PATCH] Display superadmin settings when user has appropriate
 permissions

Issue:
- https://github.com/notch8/palni_palci_knapsack/issues/71

Previously, superadmin settings like oai_prefix, oai_sample_identifier, and s3_bucket were being filtered out because public_settings wasn't taking the user's permissions into account, if set. This adds a permission check and passes it to public_settings to
dynamically show/hide superadmin settings based on user role.
---
 app/controllers/admin/accounts_controller.rb | 3 ++-
 app/views/admin/accounts/edit.html.erb       | 9 +++------
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/app/controllers/admin/accounts_controller.rb b/app/controllers/admin/accounts_controller.rb
index d5028b217..8d5f4ec20 100644
--- a/app/controllers/admin/accounts_controller.rb
+++ b/app/controllers/admin/accounts_controller.rb
@@ -29,7 +29,8 @@ def update
     private
 
     def account_params
-      params.require(:account).permit(:name, :cname, :title, *@account.public_settings.keys)
+      is_superadmin = current_ability.superadmin?
+      params.require(:account).permit(:name, :cname, :title, *@account.public_settings(is_superadmin: is_superadmin).keys)
     end
 
     def set_current_account
diff --git a/app/views/admin/accounts/edit.html.erb b/app/views/admin/accounts/edit.html.erb
index 533aa0a07..f759e6190 100644
--- a/app/views/admin/accounts/edit.html.erb
+++ b/app/views/admin/accounts/edit.html.erb
@@ -1,7 +1,6 @@
 <% content_for :page_header do %>
   <h1><span class="fa fa-gears"></span> Editing Account</h1>
 <% end %>
-
 <div class="row">
   <div class="col-md-12">
     <div class="card account-form">
@@ -17,16 +16,14 @@
               </ul>
             </div>
           <% end %>
-
           <div class="form-group">
             <%= f.label :tenant %><br>
             <%= f.text_field :tenant, class: 'form-control', readonly: @account.persisted? %>
           </div>
-
-          <% current_account.public_settings.each do |key, value| %>
+          <% is_superadmin = current_ability.superadmin? %>
+          <% current_account.public_settings(is_superadmin: is_superadmin).each do |key, value| %>
             <%= render 'shared/settings', f: f, key: key, value: value %>
           <% end %>
-
           <div class="card-footer">
             <%= f.submit class: 'btn btn-secondary float-right' %>
           </div>
@@ -34,4 +31,4 @@
       <% end %>
     </div>
   </div>
-</div>
+</div>
\ No newline at end of file