From 65fd50a905a9101bed4dface500e515916982f91 Mon Sep 17 00:00:00 2001
From: Chris Roos <chris@seagul.co.uk>
Date: Thu, 21 Sep 2023 14:30:49 +0100
Subject: [PATCH] WIP: Conditionally show the "Remove access" button

TODO: Move this earlier in the branch and see whether I can improve the
tests by stubbing(?) the `policy` that ends up in the view.

TODO: I've had to introduce a new policy because I didn't seem to be
able to specify `policy_class` in the call to `policy` in the template.
This suggests that I should probably make the same change elsewhere
before doing anything else in this branch.

Publishing Managers can only see the button if they have access and if
the application has delegatable permissions.
---
 app/policies/account/application_policy.rb          |  9 +++++++++
 app/views/account/applications/index.html.erb       | 10 ++++++----
 .../account/applications_controller_test.rb         | 13 +++++++++++++
 3 files changed, 28 insertions(+), 4 deletions(-)
 create mode 100644 app/policies/account/application_policy.rb

diff --git a/app/policies/account/application_policy.rb b/app/policies/account/application_policy.rb
new file mode 100644
index 0000000000..124c01f7b1
--- /dev/null
+++ b/app/policies/account/application_policy.rb
@@ -0,0 +1,9 @@
+class Account::ApplicationPolicy < BasePolicy
+  def remove_signin_permission?
+    current_user.has_access_to?(record) &&
+      (
+        current_user.govuk_admin? ||
+        current_user.publishing_manager? && record.signin_permission.delegatable?
+      )
+  end
+end
diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb
index a810e9cfb3..6f10562cf4 100644
--- a/app/views/account/applications/index.html.erb
+++ b/app/views/account/applications/index.html.erb
@@ -36,10 +36,12 @@
           <% end %>
         </td>
         <td class="govuk-table__cell govuk-table__cell--numeric">
-          <%= link_to delete_account_application_signin_permission_path(application),
-                      class: "govuk-button govuk-button--warning govuk-!-margin-0",
-                      data: { module: "govuk-button" } do %>
-              Remove access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+          <% if policy([:account, application]).remove_signin_permission? %>
+            <%= link_to delete_account_application_signin_permission_path(application),
+                        class: "govuk-button govuk-button--warning govuk-!-margin-0",
+                        data: { module: "govuk-button" } do %>
+                Remove access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+            <% end %>
           <% end %>
         </td>
       </tr>
diff --git a/test/controllers/account/applications_controller_test.rb b/test/controllers/account/applications_controller_test.rb
index be82c30c96..85653108f0 100644
--- a/test/controllers/account/applications_controller_test.rb
+++ b/test/controllers/account/applications_controller_test.rb
@@ -34,6 +34,19 @@ class Account::ApplicationsControllerTest < ActionController::TestCase
         assert_select "tr td", text: "app-name"
         assert_select "form[action='#{account_application_signin_permission_path(application)}']", count: 0
       end
+
+      should "not display the button to remove access to an application" do
+        application = create(:application, name: "app-name")
+        application.signin_permission.update(delegatable: false)
+        user = create(:organisation_admin_user, with_signin_permissions_for: [application])
+
+        sign_in user
+
+        get :index
+
+        assert_select "tr td", text: "app-name"
+        assert_select "a[href='#{delete_account_application_signin_permission_path(application)}']", count: 0
+      end
     end
   end
 end