Skip to content

Commit

Permalink
Allow Publishing Managers to use /account/applications
Browse files Browse the repository at this point in the history 
Publishing Managers can:

- View permissions for all applications they have access to
- Remove their access from applications with delegatable permissions

Publishing Managers cannot:

- Grant themselves access to applications
- Remove their access from applications that don't have delegatable
permissions
  • Loading branch information
@chrisroos
chrisroos committed Sep 28, 2023
1 parent b6c3b14 commit a6d89dd
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 14 deletions.
16 changes: 13 additions & 3 deletions app/policies/account/application_policy.rb
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,20 @@
class Account::ApplicationPolicy < BasePolicy
def index?
current_user.govuk_admin?
current_user.govuk_admin? || current_user.publishing_manager?
end

alias_method :show?, :index?
alias_method :grant_signin_permission?, :index?
alias_method :remove_signin_permission?, :index?
alias_method :view_permissions?, :index?

def grant_signin_permission?
current_user.govuk_admin?
end

def remove_signin_permission?
current_user.has_access_to?(record) &&
(
current_user.govuk_admin? ||
current_user.publishing_manager? && record.signin_permission.delegatable?
)
end
end
75 changes: 64 additions & 11 deletions test/policies/account/application_policy_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ class Account::ApplicationPolicyTest < ActiveSupport::TestCase
include PolicyHelpers

context "accessing index?" do
%i[superadmin admin].each do |user_role|
%i[superadmin admin super_organisation_admin organisation_admin].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = FactoryBot.build(:"#{user_role}_user")
Expand All @@ -17,7 +17,7 @@ class Account::ApplicationPolicyTest < ActiveSupport::TestCase
end
end

%i[super_organisation_admin organisation_admin normal].each do |user_role|
%i[normal].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = FactoryBot.build(:"#{user_role}_user")
Expand All @@ -31,7 +31,7 @@ class Account::ApplicationPolicyTest < ActiveSupport::TestCase
end

context "show?" do
%i[superadmin admin].each do |user_role|
%i[superadmin admin super_organisation_admin organisation_admin].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = build(:"#{user_role}_user")
Expand All @@ -43,7 +43,7 @@ class Account::ApplicationPolicyTest < ActiveSupport::TestCase
end
end

%i[super_organisation_admin organisation_admin normal].each do |user_role|
%i[normal].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = build(:"#{user_role}_user")
Expand Down Expand Up @@ -86,17 +86,70 @@ class Account::ApplicationPolicyTest < ActiveSupport::TestCase
%i[superadmin admin].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = build(:"#{user_role}_user")
@application = build(:application)
@current_user = create(:"#{user_role}_user")
@application = create(:application)
end

should "be permitted" do
assert permit?(@current_user, nil, :remove_signin_permission)
context "when the user has signin permission for the app" do
setup do
@current_user.grant_application_signin_permission(@application)
end

should "be permitted" do
assert permit?(@current_user, @application, :remove_signin_permission)
end
end

context "when the user does not have the signin permission for the app" do
should "be forbidden" do
assert forbid?(@current_user, @application, :remove_signin_permission)
end
end
end
end

%i[super_organisation_admin organisation_admin normal].each do |user_role|
%i[super_organisation_admin organisation_admin].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = create(:"#{user_role}_user")
@application = create(:application)
end

context "when the user has signin permission for the app" do
setup do
@current_user.grant_application_signin_permission(@application)
end

context "and the application has delegatable permissions" do
setup do
@application.signin_permission.update!(delegatable: true)
end

should "be permitted" do
assert permit?(@current_user, @application, :remove_signin_permission)
end
end

context "and the application does not have delegatable permissions" do
setup do
@application.signin_permission.update!(delegatable: false)
end

should "not be permitted" do
assert forbid?(@current_user, @application, :remove_signin_permission)
end
end
end

context "when the user does not have the signin permission for the app" do
should "be forbidden" do
assert forbid?(@current_user, @application, :remove_signin_permission)
end
end
end
end

%i[normal].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = build(:"#{user_role}_user")
Expand All @@ -110,7 +163,7 @@ class Account::ApplicationPolicyTest < ActiveSupport::TestCase
end

context "#view_permissions?" do
%i[superadmin admin].each do |user_role|
%i[superadmin admin super_organisation_admin organisation_admin].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = build(:"#{user_role}_user")
Expand All @@ -122,7 +175,7 @@ class Account::ApplicationPolicyTest < ActiveSupport::TestCase
end
end

%i[super_organisation_admin organisation_admin normal].each do |user_role|
%i[normal].each do |user_role|
context "for #{user_role} users" do
setup do
@current_user = build(:"#{user_role}_user")
Expand Down

0 comments on commit a6d89dd

Please sign in to comment.