From 8acf20b2c0f5aa64f707afe45e49fd041a0e6a64 Mon Sep 17 00:00:00 2001
From: Chris Roos <chris@seagul.co.uk>
Date: Thu, 21 Sep 2023 12:52:57 +0100
Subject: [PATCH] Don't display "Grant access" to Publishing Managers

Publishing Managers aren't allowed to grant themselves access to
applications so we shouldn't show them this button.
---
 app/views/account/applications/index.html.erb      | 10 ++++++----
 .../account/applications_controller_test.rb        | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb
index 5c1ec65244..a810e9cfb3 100644
--- a/app/views/account/applications/index.html.erb
+++ b/app/views/account/applications/index.html.erb
@@ -63,10 +63,12 @@
         <td class="govuk-table__cell"><%= application.name %></td>
         <td class="govuk-table__cell"><%= application.description %></td>
         <td class="govuk-table__cell govuk-table__cell--numeric">
-          <%= button_to account_application_signin_permission_path(application),
-                        class: "govuk-button govuk-!-margin-0",
-                        data: { module: "govuk-button" } do %>
-              Grant access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+          <% if policy(:account_applications).grant_signin_permission? %>
+            <%= button_to account_application_signin_permission_path(application),
+                          class: "govuk-button govuk-!-margin-0",
+                          data: { module: "govuk-button" } do %>
+                Grant access<span class="govuk-visually-hidden"> to <%= application.name %></span>
+            <% end %>
           <% end %>
         </td>
       </tr>
diff --git a/test/controllers/account/applications_controller_test.rb b/test/controllers/account/applications_controller_test.rb
index f6d27d77f7..be82c30c96 100644
--- a/test/controllers/account/applications_controller_test.rb
+++ b/test/controllers/account/applications_controller_test.rb
@@ -22,4 +22,18 @@ class Account::ApplicationsControllerTest < ActionController::TestCase
       assert_redirected_to "/account/applications"
     end
   end
+
+  context "#index" do
+    context "logged in as a publishing manager" do
+      should "not display the button to grant access to an application" do
+        application = create(:application, name: "app-name")
+        sign_in create(:organisation_admin_user)
+
+        get :index
+
+        assert_select "tr td", text: "app-name"
+        assert_select "form[action='#{account_application_signin_permission_path(application)}']", count: 0
+      end
+    end
+  end
 end