Cht-core: Allow offline users to access admin app if allowed

Is this a use case we want to support? I didn't think it was

I didn't think so either, but as it stands, the ability to configure is handled by a permission, so I'd rather it's consistent.

Not sure if we should grant that access @dianabarsan @garethbowen @abbyad. Also for restricted users, the config page seems to have a few strange behaviors especially on update instance

and Outgoing messages

@dianabarsan so this can wait until @garethbowen is back for discussion, but I just realised this morning I'm even more opposed to this than I was before, because:

• we can create silent config conflicts (as opposed to 409s), which are IMO more dangerous than regular ones
• We don't allow ddocs to ever be replicated upwards, so any changes in admin that involve writing to the ddoc would sit locally and break that user forever (because it would forever conflict with any upstream changes)
• Except that some parts in admin do involve writing things that will replicate upwards, which means some things will work always and some things will work never

Edit: actually since the admin pages got split out the way the DB gets connected to is changed. so perhaps that would mean it's always an online connection?

@SCdF your _edit_ is correct, using the admin app requires an online connection (the admin ddoc is not replicated to offline users).
Also, most updates are made via API endpoints which do not rely on replication, with some exceptions (like translations and forms which already require the updater to be a DB admin user and already don't work for other roles).

Other than that, I have no strong feelings in keeping this feature. It was a loose end I wanted tied up, one way or the other.

Thanks @dianabarsan @SCdF . I will leave this open, pending a conclusion on how to proceed.

I think it would be safer for now to only allow access to the admin app if you have the can_configure permission _and_ you have an online role. There may be a use case one day for offline users being able to configure but it's not relevant today and blocking it saves us from having to test and maintain offline access for all our configuration pages (which from Bede's screenshot looks to be broken already).

This means we should remove the admin app link from the hamburger menu and block direct access to the admin app for anyone who doesn't have an online role _and_ the can_configure permission.

@dianabarsan @SCdF What do you think?

Merged into 3.1 and forward ported to master.

Thanks @dianabarsan. One thing I think used to be available to restricted users was the configuration wizard IIRC

Did we get rid of that for restricted users?

No, that should still be there, but it does require your restricted user to have can_configure permission.