Use variants for admin users to change behaviour for self vs others

app/controllers/admin/admin_users_controller.rb

@@ -72,6 +72,8 @@ def destroy
 
     def set_admin
       @admin = Admin::User.with_archived.find(params[:id])
+
+      request.variant << :self if @admin == current_admin_user
     end
 
     def admin_user_params

app/controllers/admin/credentials_controller.rb

@@ -70,7 +70,11 @@ def credential_params
     def set_admin_user
       @admin_user = Admin::User.find(params[:admin_user_id])
 
-      head(:forbidden) unless current_admin == @admin_user
+      if current_admin == @admin_user
+        request.variant = :self
+      else
+        head(:forbidden)
+      end
     end
   end
 end

app/views/admin/admin_users/_fields.html+self.erb

@@ -0,0 +1,3 @@
+<%= form.govuk_text_field :email %>
+<%= form.govuk_text_field :name %>
+<%= form.govuk_password_field :password, label: { text: "Password (optional)" } %>

app/views/admin/admin_users/_fields.html.erb

@@ -1,4 +1,3 @@
 <%= form.govuk_text_field :email %>
 <%= form.govuk_text_field :name %>
-<%= form.govuk_password_field :password, label: { text: "Password#{' (optional)' if form.object.persisted?}" } %>
 <%= form.govuk_check_box_field :archived if form.object.persisted? %>

app/views/admin/admin_users/show.html+self.erb

@@ -0,0 +1,20 @@
+<%# locals: (admin:) %>
+
+<% content_for :header do %>
+  <%= render Koi::Header::ShowComponent.new(resource: admin) %>
+<% end %>
+
+<%= render Koi::SummaryListComponent.new(model: admin, class: "item-table") do |builder| %>
+  <%= builder.text :name %>
+  <%= builder.text :email %>
+  <%= builder.date :created_at %>
+  <%= builder.date :last_sign_in_at, label: { text: "Last sign in" } %>
+<% end %>
+
+<h3>Passkeys</h3>
+
+<%= render "admin/credentials/credentials", admin: %>
+
+<div class="actions-group">
+  <%= kpop_link_to "Add this device", new_admin_admin_user_credential_path(admin), class: "button button--primary" %>
+</div>

app/views/admin/admin_users/show.html.erb

@@ -1,15 +1,21 @@
+<%# locals: (admin:) %>
+
 <% content_for :header do %>
   <%= render Koi::Header::ShowComponent.new(resource: admin) %>
 <% end %>
 
 <%= render Koi::SummaryListComponent.new(model: admin, class: "item-table") do |builder| %>
   <%= builder.text :name %>
   <%= builder.text :email %>
-  <%= builder.datetime :created_at %>
-  <%= builder.datetime :last_sign_in_at, label: { text: "Last sign in" } %>
+  <%= builder.date :created_at %>
+  <%= builder.date :last_sign_in_at, label: { text: "Last sign in" } %>
   <%= builder.boolean :archived? %>
 <% end %>
 
+<h3>Passkeys</h3>
+
+<%= render "admin/credentials/credentials", admin: %>
+
 <div class="actions">
   <% if admin.archived? %>
     <%= button_to "Delete", admin_admin_user_path(admin),
@@ -19,13 +25,3 @@
   <% end %>
   <%= button_to "Generate login link", admin_admin_user_tokens_path(admin), class: "button button--primary", form: { id: "invite" } %>
 </div>
-
-<h2>Authentication</h2>
-
-<%= render "admin/credentials/credentials", admin: %>
-
-<% if admin == current_admin %>
-  <div class="actions-group">
-    <%= kpop_link_to "Add this device", new_admin_admin_user_credential_path(admin), class: "button button--primary" %>
-  </div>
-<% end %>

spec/requests/admin/admin_users_controller_spec.rb

@@ -42,7 +42,7 @@
 
   describe "POST /admin/admin_users" do
     let(:action) { post admin_admin_users_path, params: { admin: admin_params } }
-    let(:admin_params) { attributes_for(:admin) }
+    let(:admin_params) { attributes_for(:admin).except(:password) }
 
     it_behaves_like "requires admin"
 
@@ -94,14 +94,14 @@
     end
 
     it "updates password" do
-      expect { action }.not_to(change { admin.reload.password })
+      expect { action }.to(change { admin.reload.password_digest })
     end
 
     context "with empty password" do
       let(:admin_params) { { password: "" } }
 
       it "updates password" do
-        expect { action }.not_to(change { admin.reload.password })
+        expect { action }.not_to(change { admin.reload.password_digest })
       end
     end