Conditionally display the "Remove access" button

Publishing Managers can only remove their access from applications that have delegatable permissions. We should only display the button if they're allowed to remove their access.
alphagov · Sep 28, 2023 · 036a2ee · 036a2ee
1 parent defd389
commit 036a2ee
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb
@@ -36,10 +36,12 @@
           <% end %>
         </td>
         <td class="govuk-table__cell govuk-!-text-align-right">
-          <%= link_to delete_account_application_signin_permission_path(application),
-                      class: "govuk-button govuk-button--warning govuk-!-margin-0",
-                      data: { module: "govuk-button" } do %>
-              Remove access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+          <% if policy([:account, application]).remove_signin_permission? %>
+            <%= link_to delete_account_application_signin_permission_path(application),
+                        class: "govuk-button govuk-button--warning govuk-!-margin-0",
+                        data: { module: "govuk-button" } do %>
+                Remove access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+            <% end %>
           <% end %>
         </td>
       </tr>

diff --git a/test/controllers/account/applications_controller_test.rb b/test/controllers/account/applications_controller_test.rb
@@ -34,6 +34,19 @@ class Account::ApplicationsControllerTest < ActionController::TestCase
         assert_select "tr td", text: "app-name"
         assert_select "form[action='#{account_application_signin_permission_path(application)}']", count: 0
       end
+
+      should "not display the button to remove access to an application" do
+        application = create(:application, name: "app-name")
+        application.signin_permission.update!(delegatable: false)
+        user = create(:organisation_admin_user, with_signin_permissions_for: [application])
+
+        sign_in user
+
+        get :index
+
+        assert_select "tr td", text: "app-name"
+        assert_select "a[href='#{delete_account_application_signin_permission_path(application)}']", count: 0
+      end
     end
   end
 end