Remove Manage DevKey from perms page

closes PLAT-4427

Test Plan:
 - see that the bug has been fixed

Change-Id: I50fb60fe1db4d44031581301b4d3b3f58b23808e
Reviewed-on: https://gerrit.instructure.com/197174
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
Product-Review: Marc Phillips <mphillips@instructure.com>

app/controllers/role_overrides_controller.rb

@@ -674,6 +674,7 @@ class RoleOverridesController < ApplicationController
 
     # Add group_permissions
     RoleOverride.manageable_permissions(context).each do |p|
+      next if !context.root_account? && p[0].to_s == 'manage_developer_keys'
       # NOTE: p[1][:label_v2].call could eventually be removed if we copied everything over to :label
       hash = {:label => p[1].key?(:label_v2) ? p[1][:label_v2].call : p[1][:label].call, :permission_name => p[0]}
       if p[1][:account_only]

lib/api/v1/role.rb

@@ -36,6 +36,7 @@ module Api::V1::Role
 
     RoleOverride.manageable_permissions(account).keys.each do |permission|
       perm = RoleOverride.permission_for(account, permission, role, account)
+      next if permission == :manage_developer_keys && !account.root_account?
       json[:permissions][permission] = permission_json(perm, current_user, session) if perm[:account_allows]
     end
 
@@ -56,4 +57,3 @@ module Api::V1::Role
                      :applies_to_descendants, :applies_to_self)
   end
 end
-

spec/controllers/role_overrides_controller_spec.rb

@@ -19,8 +19,9 @@
 require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
 
 describe RoleOverridesController do
+  let(:parent_account) { Account.default }
   before :each do
-    @account = account_model(:parent_account => Account.default)
+    @account = account_model(:parent_account => parent_account)
     account_admin_user(:account => @account)
     user_session(@admin)
   end
@@ -215,6 +216,22 @@ describe RoleOverridesController do
         expect(assigns[:js_bundles].length).to eq 1
         expect(assigns[:js_bundles].first).to include :permissions_index
       end
+
+      it 'does not load the manage_developer_keys role on sub account' do
+        get 'index', params: {:account_id => @account.id}
+        expect(assigns.dig(:js_env, :ACCOUNT_ROLES).first.dig(:permissions).keys).to_not include(:manage_developer_keys)
+        expect(assigns.dig(:js_env, :ACCOUNT_PERMISSIONS, 0, :group_permissions).any? { |g| g[:permission_name] == :manage_developer_keys}).to eq false
+      end
+
+      context 'in root_account' do
+        let(:parent_account) { nil }
+
+        it 'does load the manage_developer_keys role on root account' do
+          get 'index', params: {:account_id => @account.id}
+          expect(assigns.dig(:js_env, :ACCOUNT_ROLES).first.dig(:permissions).keys).to include(:manage_developer_keys)
+          expect(assigns.dig(:js_env, :ACCOUNT_PERMISSIONS, 0, :group_permissions).any? { |g| g[:permission_name] == :manage_developer_keys}).to eq true
+        end
+      end
     end
   end
 end