Disable removal of org user role if user has others

src/frontend/app/shared/components/list/list-types/cf-users/cf-org-permission-cell/cf-org-permission-cell.component.ts

@@ -28,12 +28,12 @@ import { CfPermissionCell, ICellPermissionList } from '../cf-permission-cell';
 })
 export class CfOrgPermissionCellComponent extends CfPermissionCell<OrgUserRoleNames> {
   constructor(
-    store: Store<AppState>,
-    public cfUserService: CfUserService,
+    public store: Store<AppState>,
+    cfUserService: CfUserService,
     private userPerms: CurrentUserPermissionsService,
     confirmDialog: ConfirmationDialogService
   ) {
-    super(store, confirmDialog);
+    super(store, confirmDialog, cfUserService);
     this.chipsConfig$ = combineLatest(
       this.rowSubject.asObservable(),
       this.configSubject.asObservable().pipe(switchMap(config => config.org$))
@@ -90,5 +90,4 @@ export class CfOrgPermissionCellComponent extends CfPermissionCell<OrgUserRoleNa
   public canRemovePermission = (cfGuid: string, orgGuid: string, spaceGuid: string) =>
     this.userPerms.can(CurrentUserPermissions.ORGANIZATION_CHANGE_ROLES, cfGuid, orgGuid)
 
-
 }

src/frontend/app/shared/components/list/list-types/cf-users/cf-permission-cell.ts

@@ -1,13 +1,15 @@
 import { Input } from '@angular/core';
 import { Store } from '@ngrx/store';
 import { BehaviorSubject, Observable, of as observableOf } from 'rxjs';
-import { first, map } from 'rxjs/operators';
+import { filter, map, switchMap, first } from 'rxjs/operators';
 
 import { IUserRole } from '../../../../../features/cloud-foundry/cf.helpers';
 import { AppState } from '../../../../../store/app-state';
 import { selectSessionData } from '../../../../../store/reducers/auth.reducer';
 import { APIResource } from '../../../../../store/types/api.types';
 import { CfUser } from '../../../../../store/types/user.types';
+import { UserRoleLabels } from '../../../../../store/types/users-roles.types';
+import { CfUserService } from '../../../../data-services/cf-user.service';
 import { AppChip } from '../../../chips/chips.component';
 import { ConfirmationDialogConfig } from '../../../confirmation-dialog.config';
 import { ConfirmationDialogService } from '../../../confirmation-dialog.service';
@@ -29,12 +31,14 @@ interface ICellPermissionUpdates {
   [key: string]: Observable<boolean>;
 }
 
-export abstract class CfPermissionCell<T> extends TableCellCustom<APIResource<CfUser>>  {
+export abstract class CfPermissionCell<T> extends TableCellCustom<APIResource<CfUser>> {
+  userEntity: BehaviorSubject<CfUser> = new BehaviorSubject(null);
 
   @Input('row')
   set row(row: APIResource<CfUser>) {
     this.rowSubject.next(row);
     this.guid = row.metadata.guid;
+    this.userEntity.next(row.entity);
   }
 
   @Input('config')
@@ -48,7 +52,11 @@ export abstract class CfPermissionCell<T> extends TableCellCustom<APIResource<Cf
   protected rowSubject = new BehaviorSubject<APIResource<CfUser>>(null);
   protected configSubject = new BehaviorSubject<any>(null);
 
-  constructor(public store: Store<AppState>, private confirmDialog: ConfirmationDialogService) {
+  constructor(
+    public store: Store<AppState>,
+    private confirmDialog: ConfirmationDialogService,
+    public cfUserService: CfUserService
+  ) {
     super();
   }
 
@@ -64,6 +72,18 @@ export abstract class CfPermissionCell<T> extends TableCellCustom<APIResource<Cf
       };
       chipConfig.hideClearButton$ = this.canRemovePermission(perm.cfGuid, perm.orgGuid, perm.spaceGuid).pipe(
         map(can => !can),
+        switchMap(can => {
+          if (!can) {
+            if (perm.string === UserRoleLabels.org.short.users) {
+              // If there are other roles than Org User, disable clear button
+              return this.userEntity.pipe(
+                filter(p => !!p),
+                map((entity: CfUser) => this.cfUserService.hasRolesInOrg(entity, perm.orgGuid)),
+              );
+            }
+          }
+          return observableOf(can);
+        })
       );
       return chipConfig;
     });

src/frontend/app/shared/components/list/list-types/cf-users/cf-space-permission-cell/cf-space-permission-cell.component.ts

@@ -29,12 +29,12 @@ import { CfPermissionCell, ICellPermissionList } from '../cf-permission-cell';
 export class CfSpacePermissionCellComponent extends CfPermissionCell<SpaceUserRoleNames> {
 
   constructor(
-    store: Store<AppState>,
-    public cfUserService: CfUserService,
+    public store: Store<AppState>,
+    cfUserService: CfUserService,
     private userPerms: CurrentUserPermissionsService,
     confirmDialog: ConfirmationDialogService
   ) {
-    super(store, confirmDialog);
+    super(store, confirmDialog, cfUserService);
     this.chipsConfig$ = combineLatest(
       this.rowSubject.asObservable(),
       this.configSubject.asObservable().pipe(switchMap(config => config.org$)),

src/frontend/app/shared/data-services/cf-user.service.ts

@@ -30,6 +30,8 @@ import {
   createUserRoleInSpace,
   IUserPermissionInOrg,
   IUserPermissionInSpace,
+  OrgUserRoleNames,
+  SpaceUserRoleNames,
   UserRoleInOrg,
   UserRoleInSpace,
 } from '../../store/types/user.types';
@@ -157,6 +159,46 @@ export class CfUserService {
     return res;
   }
 
+  /**
+   * Helper to determine if user has roles other than Org User
+   */
+  hasRolesInOrg(user: CfUser, orgGuid: string, excludeOrgUser = true): boolean {
+
+    const orgRoles = this.getOrgRolesFromUser(user).filter(o => o.orgGuid === orgGuid);
+    const spaceRoles = this.getSpaceRolesFromUser(user).filter(o => o.orgGuid === orgGuid);
+
+    for (const roleKey in orgRoles) {
+      if (!orgRoles.hasOwnProperty(roleKey)) {
+        continue;
+      }
+
+      const permissions = orgRoles[roleKey].permissions;
+      if (
+        permissions[OrgUserRoleNames.MANAGER] ||
+        permissions[OrgUserRoleNames.BILLING_MANAGERS] ||
+        permissions[OrgUserRoleNames.AUDITOR]
+      ) {
+        return true;
+      }
+      if (!excludeOrgUser && permissions[OrgUserRoleNames.USER]) {
+        return true;
+      }
+    }
+
+    for (const roleKey in spaceRoles) {
+      if (!spaceRoles.hasOwnProperty(roleKey)) {
+        continue;
+      }
+
+      const permissions = spaceRoles[roleKey].permissions;
+      if (permissions[SpaceUserRoleNames.MANAGER] ||
+        permissions[SpaceUserRoleNames.AUDITOR] ||
+        permissions[SpaceUserRoleNames.DEVELOPER]) {
+        return true;
+      }
+    }
+  }
+
   getUserRoleInOrg = (
     userGuid: string,
     orgGuid: string,