[Auditor] Disable edit security UI (Part 2) (#11900)

Luke-Oldenburg · github-actions[bot] · web-flow · commit 3d79791241c2 · 2025-11-03T19:10:29.000Z
## Summary of the problem
&lt;!-- Why are these changes being made? What problem does it solve? Link
any related issues to provide more details. --&gt;
Buttons and form elements weren't disabled for auditors.


## Describe your changes
&lt;!-- Explain your thought process to the solution and provide a quick
summary of the changes. --&gt;



&lt;!-- If there are any visual changes, please attach images, videos, or
gifs. --&gt;

---------

Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/app/views/users/_oauth_authorization.erb b/app/views/users/_oauth_authorization.erb
@@ -3,7 +3,7 @@
     <span class="bold flex items-center">
       <span><%= authorization.application.name %></span> <span class="badge bg-info ml1">App</span>
     </span>
-    <%= link_to revoke_oauth_application_users_path(authorization.application.id), method: :delete, class: "muted tooltipped tooltipped--w z5", 'aria-label': "Sign out of this app" do %>
+    <%= link_to revoke_oauth_application_users_path(authorization.application.id), method: :delete, class: "muted tooltipped tooltipped--w z5", 'aria-label': "Sign out of this app", disabled: do %>
       <%= inline_icon "door-leave", size: home_action_size %>
     <% end %>
   </span>
@@ -37,7 +37,8 @@
             <td>
               <% if token.expires_in %>
                 <%= link_to make_authorization_eternal_users_path(id: token.id), method: :post,
-                            class: "btn bg-success py1 px2 h4" do %>
+                            class: "btn bg-success py1 px2 h4",
+                            disabled: !policy(token).make_eternal? do %>
                   <%= inline_icon "clock", size: home_action_size %>
                   Make eternal
                 <% end %>
diff --git a/app/views/users/edit_security.html.erb b/app/views/users/edit_security.html.erb
@@ -166,7 +166,7 @@
         <% if session.is_a? UserSession %>
           <%= render "user_session", session: %>
         <% elsif session.respond_to? :authorization_count %>
-          <%= render "oauth_authorization", authorization: session %>
+          <%= render "oauth_authorization", authorization: session, disabled: %>
         <% end %>
       <% end %>
     </div>
@@ -181,7 +181,7 @@
           <% if session.is_a? UserSession %>
             <%= render "user_session", session: %>
           <% elsif session.respond_to? :authorization_count %>
-            <%= render "oauth_authorization", authorization: session %>
+            <%= render "oauth_authorization", authorization: session, disabled: %>
           <% end %>
         <% end %>
       </div>
diff --git a/app/views/webauthn_credentials/_webauthn_credential.html.erb b/app/views/webauthn_credentials/_webauthn_credential.html.erb
@@ -13,7 +13,12 @@
         <span class="secondary">No name</span>
       <% end %>
     </span>
-    <%= link_to user_webauthn_credential_path(webauthn_credential.user, webauthn_credential), method: :delete, class: "muted tooltipped tooltipped--w z5", 'aria-label': "Delete this security key" do %>
+    <%= link_to user_webauthn_credential_path(webauthn_credential.user, webauthn_credential),
+      method: :delete,
+      class: "muted tooltipped tooltipped--w z5",
+      'aria-label': "Delete this security key",
+      disabled: !policy(webauthn_credential).destroy? do %>
+
       <%= inline_icon "delete", size: home_action_size %>
     <% end %>
   </span>
