Manage team, now has a view only version of the page which requires no permissions.

app/main/views/manage_users.py

@@ -24,7 +24,6 @@ from app.utils import user_has_permissions
 
 @main.route("/services/<service_id>/users")
 @login_required
-@user_has_permissions('manage_users', 'manage_templates', 'manage_settings')
 def manage_users(service_id):
     users = user_api_client.get_users_for_service(service_id=service_id)
     invited_users = invite_api_client.get_invites_for_service(service_id=service_id)

app/templates/main_nav.html

@@ -18,6 +18,10 @@
     <li><a href="{{ url_for('.manage_users', service_id=service_id) }}">Manage team</a></li>
     <li><a href="{{ url_for('.service_settings', service_id=service_id) }}">Manage settings</a></li>
   </ul>
+  {% else %}
+  <ul>
+    <li><a href="{{ url_for('.manage_users', service_id=service_id) }}">Team members</a></li>
+  </ul>
   {% endif %}
   {% if current_user.has_permissions(['manage_api_keys', 'access_developer_docs']) %}
   <ul>

app/templates/views/manage-users.html

@@ -19,12 +19,18 @@ Manage users – GOV.UK Notify
   <div class="grid-row">
     <div class="column-two-thirds">
       <h1 class="heading-large">
-        Manage team
+        {% if current_user.has_permissions(['manage_users']) %}
+          Manage team
+        {% else %}
+          Team members
+        {% endif %}
       </h1>
     </div>
-    <div class="column-one-third">
+    {% if current_user.has_permissions(['manage_users']) %}
-      <a href="{{ url_for('.invite_user', service_id=service_id) }}" class="button align-with-heading">Invite team member</a>
+      <div class="column-one-third">
-    </div>
+        <a href="{{ url_for('.invite_user', service_id=service_id) }}" class="button align-with-heading">Invite team member</a>
+      </div>
+    {% endif %}
   </div>
 
   {% call(item) list_table(
@@ -37,8 +43,10 @@ Manage users – GOV.UK Notify
     {{ boolean_field(item.has_permissions(['manage_users', 'manage_templates', 'manage_settings'], service_id=service_id)) }}
     {{ boolean_field(item.has_permissions(['manage_api_keys', 'access_developer_docs'], service_id=service_id)) }}
     {% call field(align='right') %}
-      {% if current_user.id != item.id %}
+      {% if current_user.has_permissions(['manage_users']) %}
-        <a href="{{ url_for('.edit_user_permissions', service_id=service_id, user_id=item.id)}}">Edit permission</a>
+        {% if current_user.id != item.id %}
+          <a href="{{ url_for('.edit_user_permissions', service_id=service_id, user_id=item.id)}}">Edit permission</a>
+        {% endif %}
       {% endif %}
     {% endcall %}
   {% endcall %}

tests/app/main/views/test_dashboard.py

@@ -58,7 +58,7 @@ def test_menu_send_messages(mocker, app_, api_user_active, service_one, mock_get
             service_id=service_one['id'],
             template_type='sms')in page
 
-        assert url_for('main.manage_users', service_id=service_one['id']) not in page
+        assert url_for('main.manage_users', service_id=service_one['id']) in page
         assert url_for('main.service_settings', service_id=service_one['id']) not in page
 
         assert url_for('main.api_keys', service_id=service_one['id']) not in page
@@ -106,7 +106,7 @@ def test_menu_manage_api_keys(mocker, app_, api_user_active, service_one, mock_g
             service_id=service_one['id'],
             template_type='sms') in page
 
-        assert url_for('main.manage_users', service_id=service_one['id']) not in page
+        assert url_for('main.manage_users', service_id=service_one['id']) in page
         assert url_for('main.service_settings', service_id=service_one['id']) not in page
 
         assert url_for('main.api_keys', service_id=service_one['id']) in page

tests/app/main/views/test_manage_users.py

@@ -280,3 +280,21 @@ def test_user_cant_invite_themselves(
         assert page.h1.string.strip() == 'Invite a team member'
         form_error = page.find('span', class_='error-message').string.strip()
         assert form_error == "You can't send an invitation to yourself"
+
+
+def test_no_permission_manage_users_page(app_,
+                                         service_one,
+                                         api_user_active,
+                                         mock_login,
+                                         mock_get_user,
+                                         mock_get_service,
+                                         mock_get_users_by_service,
+                                         mock_get_invites_for_service):
+    with app_.test_request_context():
+        with app_.test_client() as client:
+            client.login(api_user_active)
+            response = client.get(url_for('main.manage_users', service_id=service_one['id']))
+            resp_text = response.get_data(as_text=True)
+            assert url_for('.invite_user', service_id=service_one['id']) not in resp_text
+            assert "Edit permission" not in resp_text
+            assert "Manage team" not in resp_text