Don't let users with view role update settings or delete devices (#1889)

This PR adjusts what a user can do with a device through the UI with a
`:view` role. They can no longer update settings (can still see them)
nor delete the device. Implemented in both the old and new UI.

Solves #1887. Deleting devices was not part of the ticket but it seemed
like an obvious change.

lib/nerves_hub_web/components/device_page/settings.ex

@@ -40,9 +40,11 @@ defmodule NervesHubWeb.Components.DevicePage.Settings do
         <div class="flex flex-col w-full bg-zinc-900 border border-zinc-700 rounded">
           <div class="flex justify-between items-center h-14 px-4 border-b border-zinc-700">
             <div class="text-base text-neutral-50 font-medium">General settings</div>
-            <.button style="secondary" type="submit">
-              <.icon name="save" /> Save changes
-            </.button>
+            <%= if authorized?(:"device:update", @org_user) do %>
+              <.button style="secondary" type="submit">
+                <.icon name="save" /> Save changes
+              </.button>
+            <% end %>
           </div>
           <div class="flex p-6 gap-6">
             <div class="w-1/2 flex flex-col gap-6">
@@ -226,7 +228,7 @@ defmodule NervesHubWeb.Components.DevicePage.Settings do
         </div>
       </div>
 
-      <div :if={@device.deleted_at} class="flex flex-col w-full bg-zinc-900 border border-zinc-700 rounded">
+      <div :if={@device.deleted_at && authorized?(:"device:update", @org_user)} class="flex flex-col w-full bg-zinc-900 border border-zinc-700 rounded">
         <div class="flex items-center p-6 gap-6 border-t border-zinc-700">
           <div>
             <button
@@ -255,7 +257,7 @@ defmodule NervesHubWeb.Components.DevicePage.Settings do
         </div>
       </div>
 
-      <div :if={@device.deleted_at} class="flex flex-col w-full bg-zinc-900 border border-zinc-700 rounded">
+      <div :if={@device.deleted_at && authorized?(:"device:update", @org_user)} class="flex flex-col w-full bg-zinc-900 border border-zinc-700 rounded">
         <div class="flex items-center p-6 gap-6 border-t border-zinc-700">
           <div>
             <button
@@ -280,7 +282,7 @@ defmodule NervesHubWeb.Components.DevicePage.Settings do
         </div>
       </div>
 
-      <div :if={!@device.deleted_at} class="flex flex-col w-full bg-zinc-900 border border-zinc-700 rounded">
+      <div :if={!@device.deleted_at && authorized?(:"device:update", @org_user)} class="flex flex-col w-full bg-zinc-900 border border-zinc-700 rounded">
         <div class="flex items-center p-6 gap-6 border-t border-zinc-700">
           <div>
             <button

lib/nerves_hub_web/live/devices/settings.html.heex

@@ -58,7 +58,7 @@
     <div class="has-error">{error_tag(f, :connecting_code)}</div>
   </div>
 
-  <div class="button-submit-wrapper">
+  <div :if={authorized?(:"device:update", @org_user)} class="button-submit-wrapper">
     {submit("Save Changes", class: "btn btn-primary")}
   </div>
 </.form>

lib/nerves_hub_web/live/devices/show.html.heex

@@ -39,7 +39,7 @@
         <span class="button-icon firmware-disabled"></span>
         <span class="action-text">{if @device.updates_enabled, do: "Disable Updates", else: "Enable Updates"}</span>
       </button>
-      <button class="btn btn-outline-light btn-action" aria-label="Delete" type="button" phx-click="delete" data-confirm="Are you sure?">
+      <button class={["btn btn-outline-light btn-action", @org_user.role == :view && "disabled"]} aria-label="Delete" type="button" phx-click="delete" data-confirm="Are you sure?">
         <span class="button-icon delete"></span>
         <span class="action-text">Delete</span>
       </button>