WIP: Conditionally show the "Remove access" button

TODO: Move this earlier in the branch and see whether I can improve the tests by stubbing(?) the `policy` that ends up in the view. TODO: I've had to introduce a new policy because I didn't seem to be able to specify `policy_class` in the call to `policy` in the template. This suggests that I should probably make the same change elsewhere before doing anything else in this branch. Publishing Managers can only see the button if they have access and if the application has delegatable permissions.
alphagov · Sep 21, 2023 · 65fd50a · 65fd50a
1 parent 48f4ac2
commit 65fd50a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/app/policies/account/application_policy.rb b/app/policies/account/application_policy.rb
@@ -0,0 +1,9 @@
+class Account::ApplicationPolicy < BasePolicy
+  def remove_signin_permission?
+    current_user.has_access_to?(record) &&
+      (
+        current_user.govuk_admin? ||
+        current_user.publishing_manager? && record.signin_permission.delegatable?
+      )
+  end
+end
diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb
@@ -36,10 +36,12 @@
           <% end %>
         </td>
         <td class="govuk-table__cell govuk-table__cell--numeric">
-          <%= link_to delete_account_application_signin_permission_path(application),
-                      class: "govuk-button govuk-button--warning govuk-!-margin-0",
-                      data: { module: "govuk-button" } do %>
-              Remove access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+          <% if policy([:account, application]).remove_signin_permission? %>
+            <%= link_to delete_account_application_signin_permission_path(application),
+                        class: "govuk-button govuk-button--warning govuk-!-margin-0",
+                        data: { module: "govuk-button" } do %>
+                Remove access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+            <% end %>
           <% end %>
         </td>
       </tr>

diff --git a/test/controllers/account/applications_controller_test.rb b/test/controllers/account/applications_controller_test.rb
@@ -34,6 +34,19 @@ class Account::ApplicationsControllerTest < ActionController::TestCase
         assert_select "tr td", text: "app-name"
         assert_select "form[action='#{account_application_signin_permission_path(application)}']", count: 0
       end
+
+      should "not display the button to remove access to an application" do
+        application = create(:application, name: "app-name")
+        application.signin_permission.update(delegatable: false)
+        user = create(:organisation_admin_user, with_signin_permissions_for: [application])
+
+        sign_in user
+
+        get :index
+
+        assert_select "tr td", text: "app-name"
+        assert_select "a[href='#{delete_account_application_signin_permission_path(application)}']", count: 0
+      end
     end
   end
 end