WIP Show notice when there are non-delegatable perms

TODO: add tests. This could be a separate branch/PR with three or four commits: one for the helper method and tests, one for the model method and tests, one for the controller changes and tests, and one for the feature tests (optionally with the last two combined) This will be shown to publishing managers on the edit permissions page when there are non-delegatable non-signin permissions so that they are aware that they aren't seeing all permissions for the given app
alphagov · Aug 8, 2024 · 979b4a1 · 979b4a1
1 parent c8872d3
commit 979b4a1
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 0 deletions.
diff --git a/app/controllers/account/permissions_controller.rb b/app/controllers/account/permissions_controller.rb
@@ -3,6 +3,8 @@ class Account::PermissionsController < ApplicationController
   before_action :set_application
   before_action :set_permissions, only: %i[edit update]
 
+  include ApplicationPermissionsHelper
+
   def show
     authorize [:account, @application], :view_permissions?
 
@@ -14,6 +16,8 @@ def show
   def edit
     authorize [:account, @application], :edit_permissions?
 
+    @notice_about_non_delegatable_permissions = notice_about_non_delegatable_permissions(current_user, @application)
+
     @shared_permissions_form_locals = {
       action: account_application_permissions_path(@application),
       application: @application,

diff --git a/app/controllers/users/permissions_controller.rb b/app/controllers/users/permissions_controller.rb
@@ -4,6 +4,8 @@ class Users::PermissionsController < ApplicationController
   before_action :set_application
   before_action :set_permissions, only: %i[edit update]
 
+  include ApplicationPermissionsHelper
+
   def show
     authorize @user, :edit?
 
@@ -15,6 +17,8 @@ def show
   def edit
     authorize [{ application: @application, user: @user }], :edit_permissions?, policy_class: Users::ApplicationPolicy
 
+    @notice_about_non_delegatable_permissions = notice_about_non_delegatable_permissions(current_user, @application, @user)
+
     @shared_permissions_form_locals = {
       action: user_application_permissions_path(@user, @application),
       application: @application,

diff --git a/app/helpers/application_permissions_helper.rb b/app/helpers/application_permissions_helper.rb
@@ -22,4 +22,25 @@ def message_for_success(application_id, user = current_user)
 
     paragraph + list
   end
+
+  def notice_about_non_delegatable_permissions(current_user, application, other_grantee = nil)
+    return nil if current_user.govuk_admin?
+    return nil unless application.has_non_delegatable_non_signin_permissions_grantable_from_ui?
+
+    link = if other_grantee
+             link_to(
+               "view all the permissions #{other_grantee.name} has for #{application.name}",
+               user_application_permissions_path(other_grantee, application),
+               class: "govuk-link",
+             )
+           else
+             link_to(
+               "view all the permissions you have for #{application.name}",
+               account_application_permissions_path(application),
+               class: "govuk-link",
+             )
+           end
+
+    "Below, you will only see permissions that you are authorised to manage. You can also #{link}."
+  end
 end
diff --git a/app/models/doorkeeper/application.rb b/app/models/doorkeeper/application.rb
@@ -67,6 +67,10 @@ def has_delegatable_non_signin_permissions_grantable_from_ui?
     (supported_permissions.delegatable.grantable_from_ui - [signin_permission]).any?
   end
 
+  def has_non_delegatable_non_signin_permissions_grantable_from_ui?
+    (supported_permissions.grantable_from_ui.where(delegatable: false) - [signin_permission]).any?
+  end
+
   def url_without_path
     parsed_url = URI.parse(redirect_uri)
     "#{parsed_url.scheme}://#{parsed_url.host}:#{parsed_url.port}"

diff --git a/app/views/account/permissions/edit.html.erb b/app/views/account/permissions/edit.html.erb
@@ -29,6 +29,12 @@
   <% end %>
 <% end %>
 
+<% if @notice_about_non_delegatable_permissions %>
+  <%= render "govuk_publishing_components/components/inset_text", {
+    text: @notice_about_non_delegatable_permissions,
+  } %>
+<% end %>
+
 <%= render "shared/permissions_forms", {
   assigned_permissions: @assigned_permissions,
   unassigned_permission_options: @unassigned_permission_options,

diff --git a/app/views/users/permissions/edit.html.erb b/app/views/users/permissions/edit.html.erb
@@ -34,6 +34,12 @@
   <% end %>
 <% end %>
 
+<% if @notice_about_non_delegatable_permissions %>
+  <%= render "govuk_publishing_components/components/inset_text", {
+    text: @notice_about_non_delegatable_permissions,
+  } %>
+<% end %>
+
 <%= render "shared/permissions_forms", {
   assigned_permissions: @assigned_permissions,
   unassigned_permission_options: @unassigned_permission_options,