WIP Limit manageable perms to delegatable for pub mans

TODO: tests We've already updated the policies to prevent publishing managers from adding or removing non-delegatable permissions to/from users This will: - filter out non-delegatable permissions higher up in the dependency chain (in `UserUpdatePermissionBuilder`) - filter the permissions users see when accessing the edit permissions pages
alphagov · Aug 7, 2024 · d3cc0cc · d3cc0cc
1 parent 5be05c6
commit d3cc0cc
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/app/controllers/account/permissions_controller.rb b/app/controllers/account/permissions_controller.rb
@@ -79,6 +79,10 @@ def set_application
   end
 
   def set_permissions
-    @permissions = @application.sorted_supported_permissions_grantable_from_ui(include_signin: false)
+    if current_user.govuk_admin?
+      @permissions = @application.sorted_supported_permissions_grantable_from_ui(include_signin: false)
+    elsif current_user.publishing_manager?
+      @permissions = @application.sorted_supported_permissions_grantable_from_ui(include_signin: false, only_delegatable: true)
+    end
   end
 end
diff --git a/app/controllers/users/permissions_controller.rb b/app/controllers/users/permissions_controller.rb
@@ -84,6 +84,10 @@ def set_application
   end
 
   def set_permissions
-    @permissions = @application.sorted_supported_permissions_grantable_from_ui(include_signin: false)
+    if current_user.govuk_admin?
+      @permissions = @application.sorted_supported_permissions_grantable_from_ui(include_signin: false)
+    elsif current_user.publishing_manager?
+      @permissions = @application.sorted_supported_permissions_grantable_from_ui(include_signin: false, only_delegatable: true)
+    end
   end
 end
diff --git a/app/models/doorkeeper/application.rb b/app/models/doorkeeper/application.rb
@@ -42,8 +42,12 @@ def signin_permission
     supported_permissions.signin.first
   end
 
-  def sorted_supported_permissions_grantable_from_ui(include_signin: true)
-    sorted_permissions = supported_permissions.grantable_from_ui.order(:name)
+  def sorted_supported_permissions_grantable_from_ui(include_signin: true, only_delegatable: false)
+    sorted_permissions = if only_delegatable
+                           supported_permissions.grantable_from_ui.delegatable.order(:name)
+                         else
+                           supported_permissions.grantable_from_ui.order(:name)
+                         end
     sorted_permissions_without_signin = sorted_permissions - [signin_permission]
 
     if include_signin