From 3d73238ca4a6787bcabb02a75f83687a8fd7cc99 Mon Sep 17 00:00:00 2001
From: Ynda Jas <yndajas@gmail.com>
Date: Wed, 7 Aug 2024 16:58:47 +0100
Subject: [PATCH] WIP Show notice when there are non-delegatable perms

TODO: add tests

This will be shown to publishing managers on the edit permissions page
when there are non-delegatable non-signin permissions so that they are
aware that they aren't seeing all permissions for the given app
---
 .../account/permissions_controller.rb         |  4 ++++
 .../users/permissions_controller.rb           |  4 ++++
 app/helpers/application_permissions_helper.rb | 21 +++++++++++++++++++
 app/models/doorkeeper/application.rb          |  4 ++++
 app/views/account/permissions/edit.html.erb   |  6 ++++++
 app/views/users/permissions/edit.html.erb     |  6 ++++++
 6 files changed, 45 insertions(+)

diff --git a/app/controllers/account/permissions_controller.rb b/app/controllers/account/permissions_controller.rb
index 086401c72d..8769665d77 100644
--- a/app/controllers/account/permissions_controller.rb
+++ b/app/controllers/account/permissions_controller.rb
@@ -3,6 +3,8 @@ class Account::PermissionsController < ApplicationController
   before_action :set_application
   before_action :set_permissions, only: %i[edit update]
 
+  include ApplicationPermissionsHelper
+
   def show
     authorize [:account, @application], :view_permissions?
 
@@ -14,6 +16,8 @@ def show
   def edit
     authorize [:account, @application], :edit_permissions?
 
+    @notice_about_non_delegatable_permissions = notice_about_non_delegatable_permissions(current_user, @application)
+
     @shared_permissions_form_locals = {
       action: account_application_permissions_path(@application),
       application: @application,
diff --git a/app/controllers/users/permissions_controller.rb b/app/controllers/users/permissions_controller.rb
index dfad2ac240..906e6a203c 100644
--- a/app/controllers/users/permissions_controller.rb
+++ b/app/controllers/users/permissions_controller.rb
@@ -4,6 +4,8 @@ class Users::PermissionsController < ApplicationController
   before_action :set_application
   before_action :set_permissions, only: %i[edit update]
 
+  include ApplicationPermissionsHelper
+
   def show
     authorize @user, :edit?
 
@@ -15,6 +17,8 @@ def show
   def edit
     authorize [{ application: @application, user: @user }], :edit_permissions?, policy_class: Users::ApplicationPolicy
 
+    @notice_about_non_delegatable_permissions = notice_about_non_delegatable_permissions(current_user, @application, @user)
+
     @shared_permissions_form_locals = {
       action: user_application_permissions_path(@user, @application),
       application: @application,
diff --git a/app/helpers/application_permissions_helper.rb b/app/helpers/application_permissions_helper.rb
index 1588c80026..ff06883101 100644
--- a/app/helpers/application_permissions_helper.rb
+++ b/app/helpers/application_permissions_helper.rb
@@ -22,4 +22,25 @@ def message_for_success(application_id, user = current_user)
 
     paragraph + list
   end
+
+  def notice_about_non_delegatable_permissions(current_user, application, other_grantee = nil)
+    return nil if current_user.govuk_admin?
+    return nil unless application.has_non_delegatable_non_signin_permissions_grantable_from_ui?
+
+    link = if other_grantee
+             link_to(
+               "view all the permissions #{other_grantee.name} has for #{application.name}",
+               user_application_permissions_path(other_grantee, application),
+               class: "govuk-link",
+             )
+           else
+             link_to(
+               "view all the permissions you have for #{@application.name}",
+               account_application_permissions_path(application),
+               class: "govuk-link",
+             )
+           end
+
+    "Below, you will only see permissions that you are authorised to manage. You can also #{link}."
+  end
 end
diff --git a/app/models/doorkeeper/application.rb b/app/models/doorkeeper/application.rb
index a6afcd6b20..7fca37ab8c 100644
--- a/app/models/doorkeeper/application.rb
+++ b/app/models/doorkeeper/application.rb
@@ -65,6 +65,10 @@ def has_delegatable_non_signin_permissions_grantable_from_ui?
     (supported_permissions.delegatable.grantable_from_ui - [signin_permission]).any?
   end
 
+  def has_non_delegatable_non_signin_permissions_grantable_from_ui?
+    (supported_permissions.grantable_from_ui.where(delegatable: false) - [signin_permission]).any?
+  end
+
   def url_without_path
     parsed_url = URI.parse(redirect_uri)
     "#{parsed_url.scheme}://#{parsed_url.host}:#{parsed_url.port}"
diff --git a/app/views/account/permissions/edit.html.erb b/app/views/account/permissions/edit.html.erb
index 91029a119b..f3c0f7becc 100644
--- a/app/views/account/permissions/edit.html.erb
+++ b/app/views/account/permissions/edit.html.erb
@@ -29,6 +29,12 @@
   <% end %>
 <% end %>
 
+<% if @notice_about_non_delegatable_permissions %>
+  <%= render "govuk_publishing_components/components/inset_text", {
+    text: @notice_about_non_delegatable_permissions,
+  } %>
+<% end %>
+
 <%= render "shared/permissions_forms", {
   assigned_permissions: @assigned_permissions,
   unassigned_permission_options: @unassigned_permission_options,
diff --git a/app/views/users/permissions/edit.html.erb b/app/views/users/permissions/edit.html.erb
index 2b0c212539..c27066a28f 100644
--- a/app/views/users/permissions/edit.html.erb
+++ b/app/views/users/permissions/edit.html.erb
@@ -34,6 +34,12 @@
   <% end %>
 <% end %>
 
+<% if @notice_about_non_delegatable_permissions %>
+  <%= render "govuk_publishing_components/components/inset_text", {
+    text: @notice_about_non_delegatable_permissions,
+  } %>
+<% end %>
+
 <%= render "shared/permissions_forms", {
   assigned_permissions: @assigned_permissions,
   unassigned_permission_options: @unassigned_permission_options,