Allow Publishing Managers to manage their apps #2370
Merged
Commits on Sep 28, 2023
-
Use redirect_back_or_to in user_not_authorized
If the user attempts to do something they're not authorized to do then we should first try to take them back to the page they were on, and only redirect to the root path as a fallback. Ideally users wouldn't be able to use the UI to navigate to actions they're not authorized to execute but this small change will make the experience slightly better if they are able to.
-
Use govuk-link class in "View permissions" link
Calum spotted that I'd missed this.
-
Improve display of permissions table
To avoid the column widths varying based on the length of text in the (permission) Name column.
-
Namespace the ApplicationPolicy
In order to allow Publishing Managers to remove their own signin permission from apps I'm going to need an instance of the Application so that I can check whether it has delegatable permissions. This preparatory change will allow me to pass an instance of Application to `authorize` in order to automagically find this `Account::ApplicationPolicy` class.
-
Move permission from UserPolicy to ApplicationPolicy
In preparation for allowing Publishing Managers to use the /account/applications page. Publishing Managers can only remove their signin permission from an application if the application has delegatable permissions, so we need an instance of Application to check whether the user is authorized to remove their access. I've chosen to move all permission related methods over to keep them together.
-
Allow Publishing Managers to use /account/applications
Publishing Managers can: - View permissions for all applications they have access to - Remove their access from applications with delegatable permissions Publishing Managers cannot: - Grant themselves access to applications - Remove their access from applications that don't have delegatable permissions
-
Don't display "Grant access" button to Publishing Managers
Publishing Managers aren't allowed to grant themselves access to applications so we shouldn't show them this button.
-
Conditionally display the "Remove access" button
Publishing Managers can only remove their access from applications that have delegatable permissions. We should only display the button if they're allowed to remove their access.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.