AO3-6141 Disable user role checkboxes based on admin permissions

app/policies/user_policy.rb

@@ -21,6 +21,14 @@ class UserPolicy < ApplicationPolicy
     "tag_wrangling" => [roles: []]
   }.freeze
 
+  # Define which admin roles can edit which user roles.
+  ALLOWED_USER_ROLES_BY_ADMIN_ROLES = {
+    "open_doors" => %w[archivist opendoors],
+    "policy_and_abuse" => %w[no_resets protected_user],
+    "superadmin" => %w[archivist no_resets official opendoors protected_user tag_wrangler],
+    "tag_wrangling" => %w[tag_wrangler]
+  }.freeze
+
   def can_manage_users?
     user_has_roles?(MANAGE_ROLES)
   end
@@ -33,6 +41,10 @@ def permitted_attributes
     ALLOWED_ATTRIBUTES_BY_ROLES.values_at(*user.roles).compact.flatten
   end
 
+  def can_edit_user_role?(role)
+    ALLOWED_USER_ROLES_BY_ADMIN_ROLES.values_at(*user.roles).compact.flatten.include?(role.name)
+  end
+
   alias index? can_manage_users?
   alias bulk_search? can_manage_users?
   alias show? can_manage_users?

app/views/admin/admin_users/_user_form.html.erb

@@ -12,7 +12,7 @@
   <td><%= text_field_tag "user[email]", user.email, title: ts("Email"), disabled: !admin_can_update_user_email? %></td>
   <% for role in @roles %>
     <td>
-      <%= check_box_tag "user[roles][]", role.id, user.roles.include?(role), title: role.name, id: "user_roles_#{role.id}", disabled: !admin_can_update_user_roles? %>
+      <%= check_box_tag "user[roles][]", role.id, user.roles.include?(role), title: role.name, id: "user_roles_#{role.id}", disabled: !policy(User).can_edit_user_role?(role) %>
     </td>
   <% end %>
   <td>