diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb
index 754eeb3042..a3530ab6ea 100644
--- a/app/views/account/applications/index.html.erb
+++ b/app/views/account/applications/index.html.erb
@@ -36,10 +36,12 @@
<% end %>
- <%= link_to delete_account_application_signin_permission_path(application),
- class: "govuk-button govuk-button--warning govuk-!-margin-0",
- data: { module: "govuk-button" } do %>
- Remove access to <%= application.name %>
+ <% if policy([:account, application]).remove_signin_permission? %>
+ <%= link_to delete_account_application_signin_permission_path(application),
+ class: "govuk-button govuk-button--warning govuk-!-margin-0",
+ data: { module: "govuk-button" } do %>
+ Remove access to <%= application.name %>
+ <% end %>
<% end %>
|
diff --git a/test/controllers/account/applications_controller_test.rb b/test/controllers/account/applications_controller_test.rb
index be82c30c96..8833a3ec50 100644
--- a/test/controllers/account/applications_controller_test.rb
+++ b/test/controllers/account/applications_controller_test.rb
@@ -34,6 +34,19 @@ class Account::ApplicationsControllerTest < ActionController::TestCase
assert_select "tr td", text: "app-name"
assert_select "form[action='#{account_application_signin_permission_path(application)}']", count: 0
end
+
+ should "not display the button to remove access to an application" do
+ application = create(:application, name: "app-name")
+ application.signin_permission.update!(delegatable: false)
+ user = create(:organisation_admin_user, with_signin_permissions_for: [application])
+
+ sign_in user
+
+ get :index
+
+ assert_select "tr td", text: "app-name"
+ assert_select "a[href='#{delete_account_application_signin_permission_path(application)}']", count: 0
+ end
end
end
end