diff --git a/app/controllers/account/permissions_controller.rb b/app/controllers/account/permissions_controller.rb
index a039ad400..1ff094316 100644
--- a/app/controllers/account/permissions_controller.rb
+++ b/app/controllers/account/permissions_controller.rb
@@ -5,7 +5,7 @@ class Account::PermissionsController < ApplicationController
before_action :set_application
def show
- authorize [:account, @application], :view_permissions?
+ authorize [:account, UserApplicationPermission]
@permissions = @application
.sorted_supported_permissions_grantable_from_ui
@@ -13,13 +13,13 @@ def show
end
def edit
- authorize [:account, @application], :edit_permissions?
+ authorize [:account, current_user.signin_permission_for(@application)]
@permissions = @application.sorted_supported_permissions_grantable_from_ui(include_signin: false)
end
def update
- authorize [:account, @application], :edit_permissions?
+ authorize [:account, current_user.signin_permission_for(@application)], :edit?
permission_ids_for_other_applications = current_user.supported_permissions.excluding_application(@application).pluck(:id)
user_update_params = { supported_permission_ids: permission_ids_for_other_applications + params[:application][:supported_permission_ids] }
diff --git a/app/controllers/account/signin_permissions_controller.rb b/app/controllers/account/signin_permissions_controller.rb
index e964b9307..f6b2b9bac 100644
--- a/app/controllers/account/signin_permissions_controller.rb
+++ b/app/controllers/account/signin_permissions_controller.rb
@@ -4,7 +4,7 @@ class Account::SigninPermissionsController < ApplicationController
before_action :authenticate_user!
def create
- authorize [:account, Doorkeeper::Application], :grant_signin_permission?
+ authorize SigninPermission
params = { supported_permission_ids: current_user.supported_permissions.map(&:id) + [application.signin_permission.id] }
UserUpdate.new(current_user, params, current_user, user_ip_address).call
@@ -13,11 +13,11 @@ def create
end
def delete
- authorize [:account, application], :remove_signin_permission?
+ authorize [:account, SigninPermission.new(current_user.signin_permission_for(application))]
end
def destroy
- authorize [:account, application], :remove_signin_permission?
+ authorize [:account, SigninPermission.new(current_user.signin_permission_for(application))], :delete?
params = { supported_permission_ids: current_user.supported_permissions.map(&:id) - [application.signin_permission.id] }
UserUpdate.new(current_user, params, current_user, user_ip_address).call
diff --git a/app/controllers/users/applications_controller.rb b/app/controllers/users/applications_controller.rb
new file mode 100644
index 000000000..0b641306f
--- /dev/null
+++ b/app/controllers/users/applications_controller.rb
@@ -0,0 +1,22 @@
+class Users::ApplicationsController < ApplicationController
+ layout "admin_layout"
+
+ before_action :authenticate_user!
+ before_action :load_user
+ before_action :authorize_user
+
+ def index
+ @applications_with_signin = Doorkeeper::Application.not_api_only.can_signin(@user)
+ @applications_without_signin = Doorkeeper::Application.not_api_only.without_signin_permission_for(@user)
+ end
+
+ private
+
+ def load_user
+ @user = User.find(params[:user_id])
+ end
+
+ def authorize_user
+ authorize @user
+ end
+end
diff --git a/app/controllers/users/permissions_controller.rb b/app/controllers/users/permissions_controller.rb
new file mode 100644
index 000000000..7e0c54afc
--- /dev/null
+++ b/app/controllers/users/permissions_controller.rb
@@ -0,0 +1,42 @@
+class Users::PermissionsController < ApplicationController
+ layout "admin_layout"
+
+ before_action :authenticate_user!
+ before_action :load_user
+ before_action :set_application
+
+ def show
+ @permissions = @application
+ .sorted_supported_permissions_grantable_from_ui
+ .sort_by { |permission| @user.has_permission?(permission) ? 0 : 1 }
+
+ authorize @user.signin_permission_for(@application)
+ end
+
+ def edit
+ @permissions = @application.sorted_supported_permissions_grantable_from_ui(include_signin: false)
+
+ authorize @user.signin_permission_for(@application)
+ end
+
+ def update
+ authorize @user.signin_permission_for(@application)
+
+ permission_ids_for_other_applications = @user.supported_permissions.excluding_application(@application).pluck(:id)
+ user_update_params = { supported_permission_ids: permission_ids_for_other_applications + params[:application][:supported_permission_ids] }
+ UserUpdate.new(@user, user_update_params, current_user, user_ip_address).call
+
+ flash[:application_id] = @application.id
+ redirect_to user_applications_path(@user)
+ end
+
+ private
+
+ def load_user
+ @user = User.find(params[:user_id])
+ end
+
+ def set_application
+ @application = Doorkeeper::Application.not_api_only.find(params[:application_id])
+ end
+end
diff --git a/app/controllers/users/signin_permissions_controller.rb b/app/controllers/users/signin_permissions_controller.rb
new file mode 100644
index 000000000..e3130e93f
--- /dev/null
+++ b/app/controllers/users/signin_permissions_controller.rb
@@ -0,0 +1,39 @@
+class Users::SigninPermissionsController < ApplicationController
+ layout "admin_layout"
+
+ before_action :authenticate_user!
+ before_action :load_user
+ before_action :set_application
+
+ def create
+ authorize SigninPermission
+
+ params = { supported_permission_ids: @user.supported_permissions.map(&:id) + [@application.signin_permission.id] }
+ UserUpdate.new(@user, params, current_user, user_ip_address).call
+
+ redirect_to user_applications_path(@user)
+ end
+
+ def delete
+ authorize @user.signin_permission_for(@application)
+ end
+
+ def destroy
+ authorize @user.signin_permission_for(@application)
+
+ params = { supported_permission_ids: @user.supported_permissions.map(&:id) - [@application.signin_permission.id] }
+ UserUpdate.new(@user, params, current_user, user_ip_address).call
+
+ redirect_to user_applications_path(@user)
+ end
+
+private
+
+ def load_user
+ @user = User.find(params[:user_id])
+ end
+
+ def set_application
+ @application ||= Doorkeeper::Application.find(params[:application_id])
+ end
+end
diff --git a/app/helpers/account_applications_helper.rb b/app/helpers/account_applications_helper.rb
index c8b4df96a..724f65dea 100644
--- a/app/helpers/account_applications_helper.rb
+++ b/app/helpers/account_applications_helper.rb
@@ -1,12 +1,16 @@
module AccountApplicationsHelper
- def message_for_success(application_id)
+ def message_for_success(application_id, user: current_user)
application = Doorkeeper::Application.find_by(id: application_id)
return nil unless application
- additional_permissions = current_user.permissions_for(application).reject { |permission| permission == SupportedPermission::SIGNIN_NAME }
+ additional_permissions = user.permissions_for(application).reject { |permission| permission == SupportedPermission::SIGNIN_NAME }
if additional_permissions.any?
- paragraph = tag.p("You now have the following permissions for #{application.name}:", class: "govuk-body")
+ if user == current_user
+ paragraph = tag.p("You now have the following permissions for #{application.name}:", class: "govuk-body")
+ else
+ paragraph = tag.p("#{user.name} now has the following permissions for #{application.name}:", class: "govuk-body")
+ end
list = tag.ul(class: "govuk-list govuk-list--bullet")
additional_permissions.map { |permission| list << tag.li(permission) }
else
diff --git a/app/models/signin_permission.rb b/app/models/signin_permission.rb
new file mode 100644
index 000000000..1076d901e
--- /dev/null
+++ b/app/models/signin_permission.rb
@@ -0,0 +1,7 @@
+class SigninPermission
+ attr_reader :user_application_permission
+
+ def initialize(user_application_permission)
+ @user_application_permission = user_application_permission
+ end
+end
diff --git a/app/models/user.rb b/app/models/user.rb
index 20d131f45..413599ca2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -173,10 +173,14 @@ def permission_ids_for(application)
application_permissions.select { |ap| ap.application_id == application.id }.map(&:supported_permission_id)
end
- def has_access_to?(application)
+ def signin_permission_for(application)
application_permissions.detect { |permission| permission.supported_permission_id == application.signin_permission.id }
end
+ def has_access_to?(application)
+ signin_permission_for(application).present?
+ end
+
def has_permission?(supported_permission)
if persisted?
supported_permissions.exists?(supported_permission.id)
diff --git a/app/policies/account/application_policy.rb b/app/policies/account/application_policy.rb
index cd39c6d59..8469bdca3 100644
--- a/app/policies/account/application_policy.rb
+++ b/app/policies/account/application_policy.rb
@@ -4,18 +4,4 @@ def index?
end
alias_method :show?, :index?
- alias_method :view_permissions?, :index?
-
- def grant_signin_permission?
- current_user.govuk_admin?
- end
-
- def remove_signin_permission?
- current_user.has_access_to?(record) &&
- (
- current_user.govuk_admin? ||
- current_user.publishing_manager? && record.signin_permission.delegatable?
- )
- end
- alias_method :edit_permissions?, :remove_signin_permission?
end
diff --git a/app/policies/account/user_application_permission_policy.rb b/app/policies/account/user_application_permission_policy.rb
new file mode 100644
index 000000000..21588d009
--- /dev/null
+++ b/app/policies/account/user_application_permission_policy.rb
@@ -0,0 +1,16 @@
+class Account::UserApplicationPermissionPolicy < BasePolicy
+ def show?
+ Pundit.policy(current_user, user).edit?
+ end
+
+ def edit?
+ return false unless show?
+ return true if current_user.govuk_admin?
+
+ current_user.has_access_to?(application) && application.signin_permission.delegatable?
+ end
+
+ private
+
+ delegate :user, :application, to: :record, allow_nil: true
+end
diff --git a/app/policies/signin_permission_policy.rb b/app/policies/signin_permission_policy.rb
new file mode 100644
index 000000000..c047410f6
--- /dev/null
+++ b/app/policies/signin_permission_policy.rb
@@ -0,0 +1,13 @@
+class SigninPermissionPolicy < BasePolicy
+ def create?
+ current_user.govuk_admin?
+ end
+
+ def delete?
+ Pundit.policy(current_user, [:account, user_application_permission]).edit?
+ end
+
+ private
+
+ delegate :user_application_permission, to: :record
+end
diff --git a/app/policies/user_application_permission_policy.rb b/app/policies/user_application_permission_policy.rb
new file mode 100644
index 000000000..ca684fefc
--- /dev/null
+++ b/app/policies/user_application_permission_policy.rb
@@ -0,0 +1,52 @@
+class UserApplicationPermissionPolicy < BasePolicy
+ def index?
+ Pundit.policy(current_user, user).edit?
+ end
+
+ def remove_signin_permission?
+ user.has_access_to?(application) &&
+ (
+ current_user.govuk_admin? ||
+ current_user.publishing_manager? && application.signin_permission.delegatable?
+ )
+ end
+
+ def edit_permissions?
+ remove_signin_permission?
+ end
+
+ def view_permissions?
+ Pundit.policy(current_user, user).edit? &&
+ user.has_access_to?(application)
+ end
+
+ def delete?
+ edit_permissions?
+ end
+
+ def destroy?
+ delete?
+ end
+
+ def show?
+ view_permissions?
+ end
+
+ def edit?
+ edit_permissions?
+ end
+
+ def update?
+ edit_permissions?
+ end
+
+ private
+
+ def user
+ record.user
+ end
+
+ def application
+ record.application
+ end
+end
diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb
index 3ee250769..d3e32b6bd 100644
--- a/app/views/account/applications/index.html.erb
+++ b/app/views/account/applications/index.html.erb
@@ -38,20 +38,20 @@
| <%= application.name %> |
<%= application.description %> |
- <% if policy([:account, application]).edit_permissions? %>
+ <% if policy([:account, current_user.signin_permission_for(application)]).edit? %>
<% unless application.sorted_supported_permissions_grantable_from_ui(include_signin: false).empty? %>
<%= link_to edit_account_application_permissions_path(application), class: "govuk-link" do %>
Update permissions for <%= application.name %>
<% end %>
<% end %>
- <% elsif policy([:account, application]).view_permissions? %>
+ <% elsif policy([:account, current_user.signin_permission_for(application)]).show? %>
<%= link_to account_application_permissions_path(application), class: "govuk-link" do %>
View permissions for <%= application.name %>
<% end %>
<% end %>
|
- <% if policy([:account, application]).remove_signin_permission? %>
+ <% if policy(SigninPermission.new(current_user.signin_permission_for(application))).delete? %>
<%= link_to delete_account_application_signin_permission_path(application),
class: "govuk-button govuk-button--warning govuk-!-margin-0",
data: { module: "govuk-button" } do %>
@@ -80,7 +80,7 @@
| <%= application.name %> |
<%= application.description %> |
- <% if policy([:account, Doorkeeper::Application]).grant_signin_permission? %>
+ <% if policy(SigninPermission).create? %>
<%= button_to account_application_signin_permission_path(application),
class: "govuk-button govuk-!-margin-0",
data: { module: "govuk-button" } do %>
diff --git a/app/views/users/_form_fields.html.erb b/app/views/users/_form_fields.html.erb
index e99444bc8..26e9ba61e 100644
--- a/app/views/users/_form_fields.html.erb
+++ b/app/views/users/_form_fields.html.erb
@@ -78,10 +78,12 @@
<% end %>
- <%= "Editable " if (current_user.publishing_manager? ) %>Permissions
-<%= render partial: "shared/user_permissions", locals: { user_object: f.object }%>
-
-<% if current_user.publishing_manager? %>
- All Permissions for this user
- <%= render partial: "app_permissions", locals: { user_object: f.object }%>
+<% if policy(User).assign_organisations? %>
+
+ <%= f.label :organisation_id, "Organisation" %>
+ <%= f.select :organisation_id, organisation_options(f), organisation_select_options, { class: "chosen-select form-control", 'data-module' => 'chosen' } %>
+
<% end %>
+
+Permissions
+<%= link_to "Manage permissions", user_applications_path(f.object) %>
diff --git a/app/views/users/applications/index.html.erb b/app/views/users/applications/index.html.erb
new file mode 100644
index 000000000..799081688
--- /dev/null
+++ b/app/views/users/applications/index.html.erb
@@ -0,0 +1,103 @@
+<% content_for :title_caption, "Manage other users" %>
+<% content_for :title, "GOV.UK apps for #{@user.name}" %>
+
+<% content_for :breadcrumbs,
+ render("govuk_publishing_components/components/breadcrumbs", {
+ collapse_on_mobile: true,
+ breadcrumbs: [
+ {
+ title: "Dashboard",
+ url: root_path,
+ },
+ {
+ title: "Users",
+ url: users_path,
+ },
+ {
+ title: @user.name,
+ url: edit_user_path(@user),
+ },
+ {
+ title: "GOV.UK apps",
+ }
+ ]
+ })
+%>
+
+<% if flash[:application_id] %>
+<%= render "govuk_publishing_components/components/success_alert", {
+ message: "Permissions updated",
+ description: message_for_success(flash[:application_id], user: @user),
+} %>
+<% end %>
+
+
+ Apps they have access to
+
+
+
+
+
+
+
+
+
+ <% @applications_with_signin.each do |application| %>
+
+ | <%= application.name %> |
+ <%= application.description %> |
+
+ <% if policy(@user.signin_permission_for(application)).edit_permissions? %>
+ <% unless application.sorted_supported_permissions_grantable_from_ui(include_signin: false).empty? %>
+ <%= link_to edit_user_application_permissions_path(@user, application), class: "govuk-link" do %>
+ Update permissions for <%= application.name %>
+ <% end %>
+ <% end %>
+ <% elsif policy(@user.signin_permission_for(application)).view_permissions? %>
+ <%= link_to user_application_permissions_path(@user, application), class: "govuk-link" do %>
+ View permissions for <%= application.name %>
+ <% end %>
+ <% end %>
+ |
+
+ <% if policy(@user.signin_permission_for(application)).delete? %>
+ <%= link_to delete_user_application_signin_permission_path(@user, application),
+ class: "govuk-button govuk-button--warning govuk-!-margin-0",
+ data: { module: "govuk-button" } do %>
+ Remove access to <%= application.name %>
+ <% end %>
+ <% end %>
+ |
+
+ <% end %>
+
+
+
+Apps they don't have access to
+
+
+
+
+
+
+
+
+
+
+ <% @applications_without_signin.each do |application| %>
+
+ | <%= application.name %> |
+ <%= application.description %> |
+
+ <% if policy(SigninPermission).create? %>
+ <%= button_to user_application_signin_permission_path(@user, application),
+ class: "govuk-button govuk-!-margin-0",
+ data: { module: "govuk-button" } do %>
+ Grant access to <%= application.name %>
+ <% end %>
+ <% end %>
+ |
+
+ <% end %>
+
+
diff --git a/app/views/users/permissions/edit.html.erb b/app/views/users/permissions/edit.html.erb
new file mode 100644
index 000000000..4c01294b7
--- /dev/null
+++ b/app/views/users/permissions/edit.html.erb
@@ -0,0 +1,47 @@
+<% content_for :title_caption, "Manage other users" %>
+<% content_for :title, "Update #{@user.name}'s permissions for #{@application.name}" %>
+
+<% content_for :breadcrumbs,
+ render("govuk_publishing_components/components/breadcrumbs", {
+ collapse_on_mobile: true,
+ breadcrumbs: [
+ {
+ title: "Dashboard",
+ url: root_path,
+ },
+ {
+ title: "Users",
+ url: users_path,
+ },
+ {
+ title: @user.name,
+ url: edit_user_path(@user),
+ },
+ {
+ title: "GOV.UK apps",
+ url: user_applications_path(@user),
+ },
+ {
+ title: "Update #{@user.name}'s permissions for #{@application.name}"
+ }
+ ]
+ })
+%>
+
+<%= form_tag user_application_permissions_path(@user, @application), method: :patch do |f| %>
+ <%= render "govuk_publishing_components/components/checkboxes", {
+ name: "application[supported_permission_ids][]",
+ heading: "Permissions",
+ items: @permissions.map { |permission| { label: permission.name, value: permission.id, checked: @user.has_permission?(permission) } },
+ } %>
+
+ <%= hidden_field_tag "application[supported_permission_ids][]", @application.signin_permission.id, id: "checkboxes-signin" %>
+
+
+ <%= render "govuk_publishing_components/components/button", {
+ text: "Update permissions"
+ } %>
+
+ <%= link_to "Cancel", account_applications_path, class: "govuk-link govuk-link--no-visited-state" %>
+
+<% end %>
diff --git a/app/views/users/permissions/show.html.erb b/app/views/users/permissions/show.html.erb
new file mode 100644
index 000000000..9e0e23849
--- /dev/null
+++ b/app/views/users/permissions/show.html.erb
@@ -0,0 +1,56 @@
+<% content_for :title_caption, "Manage other users" %>
+<% content_for :title, "#{@user.name}'s permissions for #{@application.name}" %>
+
+<% content_for :breadcrumbs,
+ render("govuk_publishing_components/components/breadcrumbs", {
+ collapse_on_mobile: true,
+ breadcrumbs: [
+ {
+ title: "Dashboard",
+ url: root_path,
+ },
+ {
+ title: "Users",
+ url: users_path,
+ },
+ {
+ title: @user.name,
+ url: edit_user_path(@user),
+ },
+ {
+ title: "GOV.UK apps",
+ url: user_applications_path(@user),
+ },
+ {
+ title: "#{@user.name}'s permissions for #{@application.name}"
+ }
+ ]
+ })
+%>
+
+
+
+
+
+
+
+
+
+ <% @permissions.each do |permission| %>
+
+ | <%= permission.name %> |
+
+ <% if @user.has_permission?(permission) %>
+
+ Yes
+
+ <% else %>
+
+ No
+
+ <% end %>
+ |
+
+ <% end %>
+
+
diff --git a/app/views/users/signin_permissions/delete.html.erb b/app/views/users/signin_permissions/delete.html.erb
new file mode 100644
index 000000000..ea1537c91
--- /dev/null
+++ b/app/views/users/signin_permissions/delete.html.erb
@@ -0,0 +1,41 @@
+<% content_for :title_caption, "Manage other users" %>
+<% content_for :title, "Remove #{@user.name}'s access to #{@application.name}" %>
+
+<% content_for :breadcrumbs,
+ render("govuk_publishing_components/components/breadcrumbs", {
+ collapse_on_mobile: true,
+ breadcrumbs: [
+ {
+ title: "Dashboard",
+ url: root_path,
+ },
+ {
+ title: "Users",
+ url: users_path,
+ },
+ {
+ title: @user.name,
+ url: edit_user_path(@user),
+ },
+ {
+ title: "GOV.UK apps",
+ url: user_applications_path(@user),
+ },
+ {
+ title: "Remove #{@user.name}'s access to #{@application.name}"
+ }
+ ]
+ })
+%>
+
+Are you sure you want to remove <%= @user.name %>'s access to <%= @application.name %>?
+
+<%= form_with url: user_application_signin_permission_path(@user, @application), method: :delete do |form| %>
+
+ <%= render "govuk_publishing_components/components/button", {
+ text: "Confirm",
+ } %>
+
+ <%= link_to "Cancel", user_applications_path(@user), class: "govuk-link govuk-link--no-visited-state" %>
+
+<% end %>
diff --git a/config/routes.rb b/config/routes.rb
index 29dc4a80b..578fa0825 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -50,6 +50,12 @@
end
resource :role, only: %i[edit update], controller: "users/roles"
resource :organisation, only: %i[edit update], controller: "users/organisations"
+ resources :applications, only: %i[index], controller: "users/applications" do
+ resource :permissions, only: %i[show edit update], controller: "users/permissions"
+ resource :signin_permission, only: %i[create destroy], controller: "users/signin_permissions" do
+ get :delete
+ end
+ end
end
get "user", to: "oauth_users#show"
diff --git a/test/controllers/users/applications_controller_test.rb b/test/controllers/users/applications_controller_test.rb
new file mode 100644
index 000000000..99230017e
--- /dev/null
+++ b/test/controllers/users/applications_controller_test.rb
@@ -0,0 +1,148 @@
+require "test_helper"
+
+class Users::ApplicationsControllerTest < ActionController::TestCase
+ context "#index" do
+ context "logged in as a GOV.UK admin" do
+ setup do
+ @user = create(:admin_user)
+ @target_user = create(:user)
+ end
+
+ should "display the button to grant access to an application" do
+ application = create(:application, name: "app-name")
+ sign_in @user
+
+ get :index, params: { user_id: @target_user }
+
+ assert_select "tr td", text: "app-name"
+ assert_select "form[action='#{account_application_signin_permission_path(application)}']"
+ end
+
+ should "display the button to remove access to an application" do
+ application = create(:application, name: "app-name")
+ @user.grant_application_signin_permission(application)
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{delete_account_application_signin_permission_path(application)}']"
+ end
+
+ should "display a link to update permissions when the application has more than just a signin permission" do
+ application = create(:application, name: "app-name", with_supported_permissions: %w[permission])
+ @user.grant_application_signin_permission(application)
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{edit_account_application_permissions_path(application)}']"
+ end
+
+ should "not display a link to update permissions when the application has just a signin permission" do
+ application = create(:application, name: "app-name")
+ @user.grant_application_signin_permission(application)
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{edit_account_application_permissions_path(application)}']", count: 0
+ end
+
+ should "not display a retired application" do
+ create(:application, name: "retired-app-name", retired: true)
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "retired-app-name", count: 0
+ end
+
+ should "not display an API-only application" do
+ create(:application, name: "api-only-app-name", api_only: true)
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "api-only-app-name", count: 0
+ end
+ end
+
+ context "logged in as a publishing manager" do
+ setup do
+ @application = create(:application, name: "app-name")
+ @user = create(:organisation_admin_user)
+ end
+
+ should "not display the button to grant access to an application" do
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "form[action='#{account_application_signin_permission_path(@application)}']", count: 0
+ end
+
+ context "when the user has signin permissions for the application" do
+ setup do
+ @user.grant_application_signin_permission(@application)
+ end
+
+ should "display the button to remove access to an application" do
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{delete_account_application_signin_permission_path(@application)}']"
+ end
+
+ should "display a link to update permissions when the application has more than just a signin permission" do
+ create(:supported_permission, application: @application, name: "permission")
+
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{edit_account_application_permissions_path(@application)}']"
+ end
+
+ should "not display a link to update permissions when the application has just a signin permission" do
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{edit_account_application_permissions_path(@application)}']", count: 0
+ end
+
+ context "when the application does not have a delegatable signin permission" do
+ setup do
+ @application.signin_permission.update!(delegatable: false)
+ end
+
+ should "not display the button to remove access to an application" do
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{delete_account_application_signin_permission_path(@application)}']", count: 0
+ end
+
+ should "display a link to view permissions" do
+ sign_in @user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{account_application_permissions_path(@application)}']"
+ end
+ end
+ end
+ end
+ end
+end
diff --git a/test/policies/account/application_policy_test.rb b/test/policies/account/application_policy_test.rb
index 78e0e3c76..b77c14090 100644
--- a/test/policies/account/application_policy_test.rb
+++ b/test/policies/account/application_policy_test.rb
@@ -55,216 +55,4 @@ class Account::ApplicationPolicyTest < ActiveSupport::TestCase
end
end
end
-
- context "#grant_signin_permission?" do
- %i[superadmin admin].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = build(:"#{user_role}_user")
- end
-
- should "be permitted" do
- assert permit?(@current_user, nil, :grant_signin_permission)
- end
- end
- end
-
- %i[super_organisation_admin organisation_admin normal].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = build(:"#{user_role}_user")
- end
-
- should "be forbidden" do
- assert forbid?(@current_user, nil, :grant_signin_permission)
- end
- end
- end
- end
-
- context "#remove_signin_permission?" do
- %i[superadmin admin].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = create(:"#{user_role}_user")
- @application = create(:application)
- end
-
- context "when the user has signin permission for the app" do
- setup do
- @current_user.grant_application_signin_permission(@application)
- end
-
- should "be permitted" do
- assert permit?(@current_user, @application, :remove_signin_permission)
- end
- end
-
- context "when the user does not have the signin permission for the app" do
- should "be forbidden" do
- assert forbid?(@current_user, @application, :remove_signin_permission)
- end
- end
- end
- end
-
- %i[super_organisation_admin organisation_admin].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = create(:"#{user_role}_user")
- @application = create(:application)
- end
-
- context "when the user has signin permission for the app" do
- setup do
- @current_user.grant_application_signin_permission(@application)
- end
-
- context "and the application has delegatable permissions" do
- setup do
- @application.signin_permission.update!(delegatable: true)
- end
-
- should "be permitted" do
- assert permit?(@current_user, @application, :remove_signin_permission)
- end
- end
-
- context "and the application does not have delegatable permissions" do
- setup do
- @application.signin_permission.update!(delegatable: false)
- end
-
- should "not be permitted" do
- assert forbid?(@current_user, @application, :remove_signin_permission)
- end
- end
- end
-
- context "when the user does not have the signin permission for the app" do
- should "be forbidden" do
- assert forbid?(@current_user, @application, :remove_signin_permission)
- end
- end
- end
- end
-
- %i[normal].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = build(:"#{user_role}_user")
- end
-
- should "be forbidden" do
- assert forbid?(@current_user, nil, :remove_signin_permission)
- end
- end
- end
- end
-
- context "#view_permissions?" do
- %i[superadmin admin super_organisation_admin organisation_admin].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = build(:"#{user_role}_user")
- end
-
- should "be permitted" do
- assert permit?(@current_user, nil, :view_permissions)
- end
- end
- end
-
- %i[normal].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = build(:"#{user_role}_user")
- end
-
- should "be forbidden" do
- assert forbid?(@current_user, nil, :view_permissions)
- end
- end
- end
- end
-
- context "#edit_permissions?" do
- %i[superadmin admin].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = create(:"#{user_role}_user")
- @application = create(:application)
- end
-
- context "when the user has signin permission for the app" do
- setup do
- @current_user.grant_application_signin_permission(@application)
- end
-
- should "be permitted" do
- assert permit?(@current_user, @application, :edit_permissions)
- end
- end
-
- context "when the user does not have the signin permission for the app" do
- should "be forbidden" do
- assert forbid?(@current_user, @application, :edit_permissions)
- end
- end
- end
- end
-
- %i[super_organisation_admin organisation_admin].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = create(:"#{user_role}_user")
- @application = create(:application)
- end
-
- context "when the user has signin permission for the app" do
- setup do
- @current_user.grant_application_signin_permission(@application)
- end
-
- context "and the application has delegatable permissions" do
- setup do
- @application.signin_permission.update!(delegatable: true)
- end
-
- should "be permitted" do
- assert permit?(@current_user, @application, :edit_permissions)
- end
- end
-
- context "and the application does not have delegatable permissions" do
- setup do
- @application.signin_permission.update!(delegatable: false)
- end
-
- should "not be permitted" do
- assert forbid?(@current_user, @application, :edit_permissions)
- end
- end
- end
-
- context "when the user does not have the signin permission for the app" do
- should "be forbidden" do
- assert forbid?(@current_user, @application, :edit_permissions)
- end
- end
- end
- end
-
- %i[normal].each do |user_role|
- context "for #{user_role} users" do
- setup do
- @current_user = build(:"#{user_role}_user")
- end
-
- should "be forbidden" do
- assert forbid?(@current_user, nil, :edit_permissions)
- end
- end
- end
- end
end
diff --git a/test/policies/account/user_application_permission_policy_test.rb b/test/policies/account/user_application_permission_policy_test.rb
new file mode 100644
index 000000000..1a5a4371e
--- /dev/null
+++ b/test/policies/account/user_application_permission_policy_test.rb
@@ -0,0 +1,91 @@
+require "test_helper"
+require "support/policy_helpers"
+
+class Account::UserApplicationPermissionPolicyTest < ActiveSupport::TestCase
+ include PolicyHelpers
+
+ context "#show?" do
+ setup do
+ @current_user = create(:user)
+ target_user = create(:user)
+ @user_application_permission = create(:user_application_permission, user: target_user)
+
+ @policy = stub(:policy)
+ Pundit.stubs(:policy).with(target_user).returns(@policy)
+ end
+
+ should "return true if the current user can edit the target user" do
+ @policy.stubs(:edit?).returns(true)
+
+ assert permit?(@current_user, @user_application_permission, :show)
+ end
+
+ should "return false if the current user cannot edit the target user" do
+ @policy.stubs(:edit?).returns(false)
+
+ assert forbid?(@current_user, @user_application_permission, :show)
+ end
+ end
+
+ [:edit, :delete].each do |method|
+ context method do
+ setup do
+ @target_user = create(:user)
+ end
+
+ context "when the current user cannot edit the target user" do
+ setup do
+ policy = stub(:policy, edit?: false)
+ Pundit.stubs(:policy).with(@target_user).returns(policy)
+ end
+
+ should "return false" do
+ current_user = create(:user)
+ user_application_permission = create(:user_application_permission, user: @target_user)
+
+ assert forbid?(current_user, user_application_permission, method)
+ end
+ end
+
+ context "when the current user can edit the target user" do
+ setup do
+ policy = stub(:policy, edit?: true)
+ Pundit.stubs(:policy).with(@target_user).returns(policy)
+ end
+
+ should "return true the current user is a govuk admin" do
+ current_user = create(:superadmin_user)
+ user_application_permission = create(:user_application_permission, user: @target_user)
+
+ assert permit?(current_user, user_application_permission, method)
+ end
+
+ should "return false if the current user does not have access to the application" do
+ current_user = create(:super_organisation_admin_user)
+ user_application_permission = create(:user_application_permission, user: @target_user)
+
+ assert forbid?(current_user, user_application_permission, method)
+ end
+
+ should "return false if the current user has access to the application but the application does not have delegatable permissions" do
+ current_user = create(:super_organisation_admin_user)
+ application = create(:application)
+ application.signin_permission.update(delegatable: false)
+ user_application_permission = create(:user_application_permission, user: @target_user, application: )
+ current_user.grant_application_signin_permission(application)
+
+ assert forbid?(current_user, user_application_permission, method)
+ end
+
+ should "return true if the current user has access to the application and the application has delegatable permissions" do
+ current_user = create(:super_organisation_admin_user)
+ application = create(:application)
+ user_application_permission = create(:user_application_permission, user: @target_user, application: )
+ current_user.grant_application_signin_permission(application)
+
+ assert permit?(current_user, user_application_permission, method)
+ end
+ end
+ end
+ end
+end
diff --git a/test/policies/signin_permission_policy_test.rb b/test/policies/signin_permission_policy_test.rb
new file mode 100644
index 000000000..9679705ad
--- /dev/null
+++ b/test/policies/signin_permission_policy_test.rb
@@ -0,0 +1,32 @@
+require "test_helper"
+require "support/policy_helpers"
+
+class SigninPermissionPolicyTest < ActiveSupport::TestCase
+ include PolicyHelpers
+
+ context "#create?" do
+ %i[superadmin admin].each do |user_role|
+ context "for #{user_role} users" do
+ setup do
+ @current_user = build(:"#{user_role}_user")
+ end
+
+ should "be permitted" do
+ assert permit?(@current_user, nil, :create)
+ end
+ end
+ end
+
+ %i[super_organisation_admin organisation_admin normal].each do |user_role|
+ context "for #{user_role} users" do
+ setup do
+ @current_user = build(:"#{user_role}_user")
+ end
+
+ should "be forbidden" do
+ assert forbid?(@current_user, nil, :create)
+ end
+ end
+ end
+ end
+end
|