Do not allow adding stock owners as data providers

3 years ago · 493ae7d7c2
3 changed files with 34 additions and 0 deletions
--- a/app/controllers/organisation_relationships_controller.rb
+++ b/app/controllers/organisation_relationships_controller.rb
@ -41,6 +41,7 @@ class OrganisationRelationshipsController < ApplicationController

  def create_stock_owner
    @organisation_relationship = organisation.parent_organisation_relationships.new(organisation_relationship_params)
+    authorize @organisation_relationship
    if @organisation_relationship.save(context: :stock_owner)
      flash[:notice] = "#{@organisation_relationship.parent_organisation.name} is now one of #{current_user.data_coordinator? ? 'your' : "this organisation's"} stock owners"
      redirect_to stock_owners_organisation_path
--- a/app/policies/organisation_relationship_policy.rb
+++ b/app/policies/organisation_relationship_policy.rb
@ -0,0 +1,12 @@
+class OrganisationRelationshipPolicy
+  attr_reader :user, :organisation_relationship
+
+  def initialize(user, organisation_relationship)
+    @user = user
+    @organisation_relationship = organisation_relationship
+  end
+
+  def create_stock_owner?
+    return true unless user.data_provider?
+  end
+end
--- a/spec/requests/organisation_relationships_controller_spec.rb
+++ b/spec/requests/organisation_relationships_controller_spec.rb
@ -296,6 +296,27 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
        end
      end

+      context "when directly adding a stock owner" do
+        let!(:stock_owner) { FactoryBot.create(:organisation) }
+        let(:params) do
+          {
+            "organisation_relationship": {
+              "parent_organisation_id": stock_owner.id,
+            },
+          }
+        end
+        let(:request) { post "/organisations/#{organisation.id}/stock-owners", headers:, params: }
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+
+        it "does not create a new organisation relationship" do
+          expect { request }.not_to change(OrganisationRelationship, :count)
+        end
+      end
+
      context "when accessing the managing agents tab" do
        context "with an organisation that the user belongs to" do
          let!(:managing_agent) { FactoryBot.create(:organisation) }