diff --git a/app/views/account/applications/index.html.erb b/app/views/account/applications/index.html.erb index 754eeb3042..a3530ab6ea 100644 --- a/app/views/account/applications/index.html.erb +++ b/app/views/account/applications/index.html.erb @@ -36,10 +36,12 @@ <% end %> - <%= link_to delete_account_application_signin_permission_path(application), - class: "govuk-button govuk-button--warning govuk-!-margin-0", - data: { module: "govuk-button" } do %> - Remove access to <%= application.name %> + <% if policy([:account, application]).remove_signin_permission? %> + <%= link_to delete_account_application_signin_permission_path(application), + class: "govuk-button govuk-button--warning govuk-!-margin-0", + data: { module: "govuk-button" } do %> + Remove access to <%= application.name %> + <% end %> <% end %> diff --git a/test/controllers/account/applications_controller_test.rb b/test/controllers/account/applications_controller_test.rb index be82c30c96..8833a3ec50 100644 --- a/test/controllers/account/applications_controller_test.rb +++ b/test/controllers/account/applications_controller_test.rb @@ -34,6 +34,19 @@ class Account::ApplicationsControllerTest < ActionController::TestCase assert_select "tr td", text: "app-name" assert_select "form[action='#{account_application_signin_permission_path(application)}']", count: 0 end + + should "not display the button to remove access to an application" do + application = create(:application, name: "app-name") + application.signin_permission.update!(delegatable: false) + user = create(:organisation_admin_user, with_signin_permissions_for: [application]) + + sign_in user + + get :index + + assert_select "tr td", text: "app-name" + assert_select "a[href='#{delete_account_application_signin_permission_path(application)}']", count: 0 + end end end end