Add mutation to clear user roles and facilities

[emyl3]

BACKEND PULL REQUEST

Related Issue

• Part of cleanup effort for bug introduced by Persist role updates and add audit columns to ApiUserRole and ApiUserFacility #7828 where I was saving role and facility information for site admins when they ghosted into an organization
  • Prevent saving roles and facilities for site admins ghosting into orgs #7969 stopped saving site admin facility and role info when ghosting into orgs

Changes Proposed

• Introduces a mutation that takes a user's email and marks their ApiUserRole and ApiUserFacility entries as deleted

Additional Information

• Left the mutation flexible to be called on any user, but wrote a comment about the repercussions of calling the mutation on a non-site-admin user
  • will be ok to call this while the feature flag is off because user role and facility info will be repopulated but if this is called after the transition it will be an issue

Testing

• deployed on dev2
• call this mutation on a user that has role and facility entries populated, check in metabase they are deleted

mutation ($username: String!) {
    clearUserRolesAndFacilities (
        username: $username
    ) {
        nameInfo {
            firstName
        }
    }
}

[mehansen]

only nit is can we name these clearUserRolesandFacilities or something like that? "mark as deleted" to me implies that there's an isDeleted flag we are flipping and that this is reversible, but we're just clearing them for good

[emyl3]

Will do! thank you, merethe!

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[emyl3]

@mehansen method has been renamed -- ready for rereview!

[mpbrown]

LGTM! Created a new user with roles on dev2 and confirmed these were deleted after the mutation

[bobbywells52]

Tested on dev2 with a new user whose rolls were deleted after successfully calling the new endpoint -- LGTM! Thanks for your work on this

[fzhao99]

worth considering for a followup PR: could we stick a check for whether the found user is a site admin? Think this would entail extending our site admin validation code since from what I can tell, it grabs that information from the currently-logged in user auth properties, but think that

1. doing an explicit check is the safest way to make sure we don't end up in a unsupported state
2. Having a "is this email in the site admin group" is a generally useful method to have.

Since all this is behind a feature flag / this mutation is needed to clean up a testing env, no need to address here, but to consider as a follow up

[emyl3]

Created this issue to keep track of this effort: #8001
Thank you, @fzhao99! 😸

[emyl3]

Paired with @mehansen to remove roles and facilities of prod site admin users on 08/05/2024.