Added UI elements

Changed the access checkboxes to radio buttons as to only
allow one particular type of user active at all times.

The new user types are as follows:
* Regular
* Auditor
* Admin

app/controllers/admin/users_controller.rb

@@ -175,7 +175,7 @@ class Admin::UsersController < Admin::ApplicationController
 
   def user_params_ce
     [
-      :admin,
+      :access_level,
       :avatar,
       :bio,
       :can_create_group,

app/helpers/path_locks_helper.rb

@@ -7,6 +7,10 @@ module PathLocksHelper
     @license_allows_file_locks ||= (::License.current && ::License.current.add_on?('GitLab_FileLocks'))
   end
 
+  def license_allows_auditor_user?
+    @license_allows_auditor_user ||= (::License.current && ::License.current.add_on?('GitLab_Auditor_User'))
+  end
+
   def text_label_for_lock(file_lock, path)
     if file_lock.path == path
       "Locked by #{file_lock.user.name}"

app/models/user.rb

@@ -957,6 +957,23 @@ class User < ActiveRecord::Base
     Gitlab::UserActivities::ActivitySet.record(self)
   end
 
+  def access_level
+    if admin?
+      :admin
+    elsif auditor?
+      :auditor
+    else
+      :regular
+    end
+  end
+
+  def access_level=(new_level)
+    # new_level can be a symbol or a string
+    new_level = new_level.to_s
+    self.admin = (new_level == :admin)
+    self.auditor = (new_level == :auditor)
+  end
+
   private
 
   def ci_projects_union

app/views/admin/users/_form.html.haml

@@ -52,17 +52,37 @@
 
       .form-group
         = f.label :admin, class: 'control-label'
-        - if current_user == @user
-          .col-sm-10= f.check_box :admin, disabled: true
-          .col-sm-10 You cannot remove your own admin rights.
-        - else
-          .col-sm-10= f.check_box :admin
-
+        .col-sm-10
+          = f.radio_button :access_level, :regular, checked: true
+          = label_tag :regular do
+            Regular
+          %p.light
+            Regular users have access to their groups and projects
+          - if license_allows_auditor_user?
+            = f.radio_button :access_level, :auditor
+            = label_tag :auditor do
+              Audit
+            %p.light
+              Auditors have read-only access to all groups, projects and users
+          - if current_user == @user
+            = f.radio_button :access_level, :admin
+            = label_tag :admin do
+              Admin
+            %p.light
+              You cannot remove your own admin rights
+          -else
+            = f.radio_button :access_level, :admin
+            = label_tag :admin do
+              Admin
+            %p.light
+              Administrators have access to all groups, projects and users and can manage all features in this installation
       .form-group
         = f.label :external, class: 'control-label'
-        .col-sm-10= f.check_box :external
-        .col-sm-10 External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.
-
+        .col-sm-10
+          = f.check_box :external do
+            External
+          %p.light
+            External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.
     %fieldset
       %legend Profile
       .form-group

app/views/admin/users/_head.html.haml

@@ -4,6 +4,8 @@
     %span.cred (Blocked)
   - if @user.admin
     %span.cred (Admin)
+  - if @user.auditor
+    %span.cred (Auditor)
 
   .pull-right
     - unless @user == current_user || @user.blocked?