From f1c4cfd84910bc1ce22d9929f9b3685bcc6fdd75 Mon Sep 17 00:00:00 2001
From: Chris Roos <chris@seagul.co.uk>
Date: Thu, 21 Sep 2023 14:30:49 +0100
Subject: [PATCH] Conditionally display the "Remove access" button

Publishing Managers can only remove their access from applications that
have delegatable permissions. We should only display the button if
they're allowed to remove their access.
---
 app/views/account/applications/index.html.erb       | 10 ++++++----
 .../account/applications_controller_test.rb         | 13 +++++++++++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb
index 754eeb3042..a3530ab6ea 100644
--- a/app/views/account/applications/index.html.erb
+++ b/app/views/account/applications/index.html.erb
@@ -36,10 +36,12 @@
           <% end %>
         </td>
         <td class="govuk-table__cell govuk-!-text-align-right">
-          <%= link_to delete_account_application_signin_permission_path(application),
-                      class: "govuk-button govuk-button--warning govuk-!-margin-0",
-                      data: { module: "govuk-button" } do %>
-              Remove access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+          <% if policy([:account, application]).remove_signin_permission? %>
+            <%= link_to delete_account_application_signin_permission_path(application),
+                        class: "govuk-button govuk-button--warning govuk-!-margin-0",
+                        data: { module: "govuk-button" } do %>
+                Remove access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+            <% end %>
           <% end %>
         </td>
       </tr>
diff --git a/test/controllers/account/applications_controller_test.rb b/test/controllers/account/applications_controller_test.rb
index be82c30c96..8833a3ec50 100644
--- a/test/controllers/account/applications_controller_test.rb
+++ b/test/controllers/account/applications_controller_test.rb
@@ -34,6 +34,19 @@ class Account::ApplicationsControllerTest < ActionController::TestCase
         assert_select "tr td", text: "app-name"
         assert_select "form[action='#{account_application_signin_permission_path(application)}']", count: 0
       end
+
+      should "not display the button to remove access to an application" do
+        application = create(:application, name: "app-name")
+        application.signin_permission.update!(delegatable: false)
+        user = create(:organisation_admin_user, with_signin_permissions_for: [application])
+
+        sign_in user
+
+        get :index
+
+        assert_select "tr td", text: "app-name"
+        assert_select "a[href='#{delete_account_application_signin_permission_path(application)}']", count: 0
+      end
     end
   end
 end