Allow GOV.UK Admins to give themselves access to apps

This adds a "Grant access" button next to each app in the list of "Apps you don't have access to" on /account/applications. This page is currently only available to GOV.UK Admins and this functionality replicates what they're already able to do on their /users/<id>/edit page.
alphagov · Sep 19, 2023 · 29eabf9 · 29eabf9
1 parent 0dfda52
commit 29eabf9
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 2 deletions.
diff --git a/app/controllers/account/signin_permissions_controller.rb b/app/controllers/account/signin_permissions_controller.rb
@@ -0,0 +1,11 @@
+class Account::SigninPermissionsController < ApplicationController
+  before_action :authenticate_user!
+
+  def create
+    authorize :account_applications, :grant_signin_permission?
+
+    application = Doorkeeper::Application.find(params[:application_id])
+    current_user.grant_application_signin_permission(application)
+    redirect_to account_applications_path
+  end
+end
diff --git a/app/policies/account_applications_policy.rb b/app/policies/account_applications_policy.rb
@@ -2,4 +2,6 @@ class AccountApplicationsPolicy < BasePolicy
   def index?
     current_user.govuk_admin?
   end
+
+  alias_method :grant_signin_permission?, :index?
 end
diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb
@@ -39,14 +39,22 @@
   <thead class="govuk-table__head">
     <tr class="govuk-table__row">
       <th scope="col" class="govuk-table__header govuk-!-width-one-quarter">Name</th>
-      <th scope="col" class="govuk-table__header govuk-!-width-three-quarters">Description</th>
+      <th scope="col" class="govuk-table__header govuk-!-width-two-quarters">Description</th>
+      <th scope="col" class="govuk-table__header govuk-!-width-one-quarter"></th>
     </tr>
   </thead>
   <tbody class="govuk-table__body">
     <% @applications_without_signin.each do |application| %>
       <tr class="govuk-table__row">
         <td class="govuk-table__cell"><%= application.name %></td>
         <td class="govuk-table__cell"><%= application.description %></td>
+        <td class="govuk-table__cell">
+          <%= button_to account_application_signin_permission_path(application),
+                        class: "govuk-button govuk-!-margin-0",
+                        data: { module: "govuk-button" } do %>
+              Grant access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+          <% end %>
+        </td>
       </tr>
     <% end %>
   </tbody>

diff --git a/config/routes.rb b/config/routes.rb
@@ -51,7 +51,9 @@
 
   resource :account, only: [:show]
   namespace :account do
-    resources :applications, only: [:index]
+    resources :applications, only: [:index] do
+      resource :signin_permission, only: [:create]
+    end
   end
 
   resources :batch_invitations, only: %i[new create show] do

diff --git a/test/controllers/account/signin_permissions_controller_test.rb b/test/controllers/account/signin_permissions_controller_test.rb
@@ -0,0 +1,11 @@
+require "test_helper"
+
+class Account::SigninPermissionsControllerTest < ActionController::TestCase
+  should "prevent unauthenticated users from accessing create" do
+    application = create(:application, name: "app-name", description: "app-description")
+
+    post :create, params: { application_id: application.id }
+
+    assert_redirected_to "/users/sign_in"
+  end
+end
diff --git a/test/integration/account_applications_test.rb b/test/integration/account_applications_test.rb
@@ -60,4 +60,23 @@ class AccountApplicationsTest < ActionDispatch::IntegrationTest
       assert_not page.has_content?("retired-app-name")
     end
   end
+
+  context "granting access to apps" do
+    setup do
+      create(:application, name: "app-name", description: "app-description")
+      @user = FactoryBot.create(:admin_user)
+    end
+
+    should "allow admins to grant themselves access to apps" do
+      visit new_user_session_path
+      signin_with @user
+
+      visit account_applications_path
+
+      click_on "Grant access to app-name"
+
+      table = find("table caption[text()='Apps you have access to']").ancestor("table")
+      assert table.has_content?("app-name")
+    end
+  end
 end
diff --git a/test/policies/account_applications_policy_test.rb b/test/policies/account_applications_policy_test.rb
@@ -29,4 +29,30 @@ class AccountApplicationsPolicyTest < ActiveSupport::TestCase
       end
     end
   end
+
+  context "accessing grant_signin_permission?" do
+    %i[superadmin admin].each do |user_role|
+      context "for #{user_role} users" do
+        setup do
+          @current_user = FactoryBot.build(:"#{user_role}_user")
+        end
+
+        should "be permitted" do
+          assert permit?(@current_user, nil, :grant_signin_permission)
+        end
+      end
+    end
+
+    %i[super_organisation_admin organisation_admin normal].each do |user_role|
+      context "for #{user_role} users" do
+        setup do
+          @current_user = FactoryBot.build(:"#{user_role}_user")
+        end
+
+        should "be forbidden" do
+          assert forbid?(@current_user, nil, :grant_signin_permission)
+        end
+      end
+    end
+  end
 end