Add edit functionality for iam identifier

[neilmcclelland]

Fixes #22

Summary by CodeRabbit

• New Features
  • System groups (Tenant Administrator, Tenant Auditor) are now protected from accidental deletion and editing, with clear tooltips explaining why.
  • Group IAM identifier field is now editable in group details.

[Ayurshi-Singh]

two points here:

1. Lets move the conditions to a formatter function. There we can check the conditions against ENUM and it will make it more testable and remove the use of strings (as in the XML).
2. I am not super aware of it, but just wondering, cant we check the User Group role instead of name. We do have some specific ENUMs for the role right to identify the whether it is Tenant_Admin or Tenant_Auditor User groups.

[neilmcclelland]

1. formatter added
2. we need to check for name as it is not all tenant admins roles but the autogenerated groups with those names

[Ayurshi-Singh]

So does that mean there can be Tenant admin or Tenant auditor user groups which have the role "TENANT_ADMINISTRATOR" or "TENANT_AUDITOR" but will not have the relevant name. And those should be allowed to be edited?

[Ayurshi-Singh]

same as above

[Ayurshi-Singh]

+1, request for formatter logic.

[Ayurshi-Singh]

nit: maybe we should think about renaming groupValid-> groupEdited or something. Name seems misleading as it controls the enable state of the SAVE groups button.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 70fb00b1-3659-45f2-9551-3e54da07ad45

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR introduces protection for auto-generated tenant groups (TenantAdministrator and TenantAuditor) by preventing their deletion and editing. Additionally, the IAM identifier field is now editable through a live input binding, with controller validation to track changes during group editing.

Changes

Cohort / File(s)	Summary
Protected Groups Definition webapp/common/Enums.ts, webapp/common/Formatters.ts	Added ProtectedGroups enum and derived utility functions isGroupDeletable() and getGroupDeleteTooltip() to control deletion and display conditional messages for auto-generated groups.
Controller Logic webapp/controller/groups/Detail.controller.ts	Extended GroupPayload interface with IAMIdentifier field and added onGroupIamIdentifierChanged() handler that validates IAM identifier changes and updates the model state accordingly. Updated onGroupSavePress() to include the new field in PATCH requests.
UI View and Fragments webapp/view/groups/GroupDetail.view.xml, webapp/resources/fragments/groups/UserGroupsTable.fragment.xml	Made edit button disabled for protected tenant groups with conditional tooltip messaging. Changed IAM identifier field from read-only text to editable input with live change binding. Updated delete menu item with conditional enable/disable binding and tooltip.
Localization webapp/i18n/i18n_en.properties	Added two new message keys (autoGeneratedGroupCannotBeEdited and autoGeneratedGroupCannotBeDeleted) for user-facing messaging regarding protected groups.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Protected groups now stand so tall,
TenantAdmin guards the hall,
IAM fields dance and sway,
With live edits along the way,
A rabbit's code hops without fear!

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description does not follow the required template structure and lacks essential details like category prefix, detailed explanation, and release notes.	Update description to follow the conventional commits template with category (e.g., 'feat:'), detailed explanation of changes, and release notes section.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Out of Scope Changes check	❓ Inconclusive	Changes include additional safeguards for protected groups (TenantAdministrator and TenantAuditor) preventing their deletion/editing, which goes beyond the basic IAM identifier editing requirement.	Clarify whether preventing editing/deletion of protected tenant groups is part of issue #22 scope or should be in a separate issue.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding edit functionality for the IAM identifier field, which is the primary feature implemented across all modified files.
Linked Issues check	✅ Passed	All code changes directly address the linked issue #22 requirement to add IAM identifier editing functionality with appropriate UI controls and data handling.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@webapp/controller/groups/Detail.controller.ts`:
- Around line 125-144: The current onGroupIamIdentifierChanged only toggles
/groupValid and sets /newIamIdentifier when different, but it leaves a stale
/newIamIdentifier when a user reverts to the original value and only tests IAM
to enable save — causing onGroupSavePress to include stale IAM values; update
onGroupIamIdentifierChanged to clear /newIamIdentifier (set to '') and set
/groupValid to false when newIamIdentifier ===
this.oneWayModel.getProperty('/groupData/iamIdentifier'), otherwise set
/newIamIdentifier and /groupValid true; additionally ensure any other change
handlers for name/description (the inputs that set /newGroupName and
/newGroupDescription) set /groupValid true when they differ from
this.oneWayModel.getProperty('/groupData/...') so onGroupSavePress only sends
fields that are actually changed and no stale IAM values remain.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c86c3aa-b726-41ba-b524-02e977cab188

📥 Commits

Reviewing files that changed from the base of the PR and between c946583 and c202690.

📒 Files selected for processing (6)

• webapp/common/Enums.ts
• webapp/common/Formatters.ts
• webapp/controller/groups/Detail.controller.ts
• webapp/i18n/i18n_en.properties
• webapp/resources/fragments/groups/UserGroupsTable.fragment.xml
• webapp/view/groups/GroupDetail.view.xml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

/groupValid and /newIamIdentifier handling can produce incorrect PATCH behavior.

At Line 129/132, save enablement is derived only from IAM field changes. At Line 133, reverted IAM values are not cleared. Combined with Line 143, stale IAM values can be sent when another field is edited.

Proposed fix

 public onGroupIamIdentifierChanged(event: Input$LiveChangeEvent): void {
     const newIamIdentifier = event.getParameter('value') ?? '';
     const iamIdentifier = this.oneWayModel.getProperty('/groupData/iamIdentifier') as string;
-    if (newIamIdentifier === iamIdentifier) {
-        this.oneWayModel.setProperty('/groupValid', false);
-    }
-    else {
-        this.oneWayModel.setProperty('/groupValid', true);
-        this.oneWayModel.setProperty('/newIamIdentifier', newIamIdentifier);
-    }
+    this.oneWayModel.setProperty(
+        '/newIamIdentifier',
+        newIamIdentifier === iamIdentifier ? undefined : newIamIdentifier
+    );
+
+    const currentName = this.oneWayModel.getProperty('/groupData/name') as string;
+    const currentDescription = this.oneWayModel.getProperty('/groupData/description') as string;
+    const hasNameChange =
+        ((this.oneWayModel.getProperty('/newGroupName') as string | undefined) ?? currentName) !== currentName;
+    const hasDescriptionChange =
+        ((this.oneWayModel.getProperty('/newGroupDescription') as string | undefined) ?? currentDescription) !== currentDescription;
+    const hasIamChange =
+        ((this.oneWayModel.getProperty('/newIamIdentifier') as string | undefined) ?? iamIdentifier) !== iamIdentifier;
+
+    this.oneWayModel.setProperty('/groupValid', hasNameChange || hasDescriptionChange || hasIamChange);
 };

-const payload: GroupPayload = {
-    name: this.oneWayModel.getProperty('/newGroupName') as string,
-    description: this.oneWayModel.getProperty('/newGroupDescription') as string,
-    IAMIdentifier: this.oneWayModel.getProperty('/newIamIdentifier') as string
-};
+const payload: Partial<GroupPayload> = {};
+const newName = this.oneWayModel.getProperty('/newGroupName') as string | undefined;
+const newDescription = this.oneWayModel.getProperty('/newGroupDescription') as string | undefined;
+const newIamIdentifier = this.oneWayModel.getProperty('/newIamIdentifier') as string | undefined;
+if (newName !== undefined) payload.name = newName;
+if (newDescription !== undefined) payload.description = newDescription;
+if (newIamIdentifier !== undefined) payload.IAMIdentifier = newIamIdentifier;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@webapp/controller/groups/Detail.controller.ts` around lines 125 - 144, The
current onGroupIamIdentifierChanged only toggles /groupValid and sets
/newIamIdentifier when different, but it leaves a stale /newIamIdentifier when a
user reverts to the original value and only tests IAM to enable save — causing
onGroupSavePress to include stale IAM values; update onGroupIamIdentifierChanged
to clear /newIamIdentifier (set to '') and set /groupValid to false when
newIamIdentifier === this.oneWayModel.getProperty('/groupData/iamIdentifier'),
otherwise set /newIamIdentifier and /groupValid true; additionally ensure any
other change handlers for name/description (the inputs that set /newGroupName
and /newGroupDescription) set /groupValid true when they differ from
this.oneWayModel.getProperty('/groupData/...') so onGroupSavePress only sends
fields that are actually changed and no stale IAM values remain.

[Ayurshi-Singh]

So does that mean there can be Tenant admin or Tenant auditor user groups which have the role "TENANT_ADMINISTRATOR" or "TENANT_AUDITOR" but will not have the relevant name. And those should be allowed to be edited?

[Ayurshi-Singh]

can you recheck if commonFormatter.getGroupDeleteTooltip is working fine? Because I don't see the tooltip. I HAVE switched the language to German, but anyhow it should fallback to English translations. But see no tool tip on the delete button

[Ayurshi-Singh]

+1, request for formatter logic.

[Ayurshi-Singh]

same as above. I don't see the tooltip in the UI currently.

[Ayurshi-Singh]

nit:suggestion: Can we change the name to ProtectedGroupsName, so we differentiate to from roles.