Prepare for backport

app/controllers/admin/users_controller.rb

@@ -175,7 +175,7 @@ class Admin::UsersController < Admin::ApplicationController
 
   def user_params_ce
     [
-      :admin,
+      :access_level,
       :avatar,
       :bio,
       :can_create_group,
@@ -203,8 +203,7 @@ class Admin::UsersController < Admin::ApplicationController
 
   def user_params_ee
     [
-      :note,
-      :access_level
+      :note
     ]
   end
 end

app/models/ee/user.rb

@@ -36,23 +36,5 @@ module EE
     def admin_or_auditor?
       admin? || auditor?
     end
-
-    def access_level
-      if admin?
-        :admin
-      elsif auditor?
-        :auditor
-      else
-        :regular
-      end
-    end
-
-    def access_level=(new_level)
-      new_level = new_level.to_s
-      return unless %w(admin auditor regular).include?(new_level)
-
-      self.admin = (new_level == 'admin')
-      self.auditor = (new_level == 'auditor')
-    end
   end
 end

app/models/user.rb

@@ -934,6 +934,24 @@ class User < ActiveRecord::Base
     Gitlab::UserActivities::ActivitySet.record(self)
   end
 
+  def access_level
+    if admin?
+      :admin
+    elsif auditor?
+      :auditor
+    else
+      :regular
+    end
+  end
+
+  def access_level=(new_level)
+    new_level = new_level.to_s
+    return unless %w(admin auditor regular).include?(new_level)
+
+    self.admin = (new_level == 'admin')
+    self.auditor = (new_level == 'auditor')
+  end
+
   private
 
   def ci_projects_union

app/views/admin/users/_access_levels_ee.html.haml → app/views/admin/users/_access_levels.html.haml

@@ -11,22 +11,29 @@
   .form-group
     = f.label :access_level, class: 'control-label'
     .col-sm-10
-      = f.radio_button :access_level, :regular, disabled: (current_user == @user && @user.is_admin?)
+      - editing_current_user = (current_user == @user)
+
+      = f.radio_button :access_level, :regular, disabled: editing_current_user
       = label_tag :regular do
         Regular
       %p.light
         Regular users have access to their groups and projects
+
       - if license_allows_auditor_user?
-        = f.radio_button :access_level, :auditor, disabled: (current_user == @user && @user.is_admin?)
+        = f.radio_button :access_level, :auditor, disabled: editing_current_user
         = label_tag :auditor do
           Auditor
         %p.light
           Auditors have read-only access to all groups, projects and users
-      = f.radio_button :access_level, :admin
+
+      = f.radio_button :access_level, :admin, disabled: editing_current_user
       = label_tag :admin do
         Admin
       %p.light
         Administrators have access to all groups, projects and users and can manage all features in this installation
+      - if editing_current_user
+        %p.light
+          You cannot remove your own admin rights.
 
   .form-group
     = f.label :external, class: 'control-label'

app/views/admin/users/_form.html.haml

@@ -40,7 +40,7 @@
           = f.label :password_confirmation, class: 'control-label'
           .col-sm-10= f.password_field :password_confirmation, disabled: f.object.force_random_password, class: 'form-control'
 
-    = render partial: 'access_levels_ee', locals: { f: f }
+    = render partial: 'access_levels', locals: { f: f }
 
     %fieldset
       %legend Profile

spec/models/user_spec.rb

@@ -1493,66 +1493,7 @@ describe User, models: true do
     end
   end
 
-  describe 'the GitLab_Auditor_User add-on' do
-    let(:license) { build(:license) }
-
-    before do
-      allow(::License).to receive(:current).and_return(license)
-    end
-
-    context 'creating an auditor user' do
-      it "does not allow creating an auditor user if the addon isn't enabled" do
-        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
-
-        expect(build(:user, :auditor)).to be_invalid
-      end
-
-      it "does not allow creating an auditor user if no license is present" do
-        allow(License).to receive(:current).and_return nil
-
-        expect(build(:user, :auditor)).to be_invalid
-      end
-
-      it "allows creating an auditor user if the addon is enabled" do
-        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
-
-        expect(build(:user, :auditor)).to be_valid
-      end
-
-      it "allows creating a regular user if the addon isn't enabled" do
-        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
-
-        expect(build(:user)).to be_valid
-      end
-    end
-
-    context '#auditor?' do
-      it "returns true for an auditor user if the addon is enabled" do
-        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
-
-        expect(build(:user, :auditor)).to be_auditor
-      end
-
-      it "returns false for an auditor user if the addon is not enabled" do
-        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
-
-        expect(build(:user, :auditor)).not_to be_auditor
-      end
-
-      it "returns false for an auditor user if a license is not present" do
-        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
-
-        expect(build(:user, :auditor)).not_to be_auditor
-      end
-
-      it "returns false for a non-auditor user even if the addon is present" do
-        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
-
-        expect(build(:user)).not_to be_auditor
-      end
-    end
-
-    context 'access_level=' do
+  describe '#access_level=' do
     let(:user) { build(:user) }
 
     before do
@@ -1628,5 +1569,64 @@ describe User, models: true do
       expect(user.auditor).to be false
     end
   end
+
+  describe 'the GitLab_Auditor_User add-on' do
+    let(:license) { build(:license) }
+
+    before do
+      allow(::License).to receive(:current).and_return(license)
+    end
+
+    context 'creating an auditor user' do
+      it "does not allow creating an auditor user if the addon isn't enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
+
+        expect(build(:user, :auditor)).to be_invalid
+      end
+
+      it "does not allow creating an auditor user if no license is present" do
+        allow(License).to receive(:current).and_return nil
+
+        expect(build(:user, :auditor)).to be_invalid
+      end
+
+      it "allows creating an auditor user if the addon is enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
+
+        expect(build(:user, :auditor)).to be_valid
+      end
+
+      it "allows creating a regular user if the addon isn't enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
+
+        expect(build(:user)).to be_valid
+      end
+    end
+
+    context '#auditor?' do
+      it "returns true for an auditor user if the addon is enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
+
+        expect(build(:user, :auditor)).to be_auditor
+      end
+
+      it "returns false for an auditor user if the addon is not enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
+
+        expect(build(:user, :auditor)).not_to be_auditor
+      end
+
+      it "returns false for an auditor user if a license is not present" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
+
+        expect(build(:user, :auditor)).not_to be_auditor
+      end
+
+      it "returns false for a non-auditor user even if the addon is present" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
+
+        expect(build(:user)).not_to be_auditor
+      end
+    end
   end
 end