Do not allow removing managing agents as data providers and fix remove_stock_owner

3 years ago · 593527f0fa
3 changed files with 30 additions and 10 deletions
--- a/app/controllers/organisation_relationships_controller.rb
+++ b/app/controllers/organisation_relationships_controller.rb
@ -65,8 +65,8 @@ class OrganisationRelationshipsController < ApplicationController

  def remove_stock_owner
    organisation_relationship = OrganisationRelationship.find_by!(
-      parent_organisation: organisation,
-      child_organisation: @target_organisation,
+      parent_organisation: @target_organisation,
+      child_organisation: organisation,
    )
    authorize organisation_relationship
  end
@ -80,7 +80,13 @@ class OrganisationRelationshipsController < ApplicationController
    redirect_to stock_owners_organisation_path
  end

-  def remove_managing_agent; end
+  def remove_managing_agent
+    organisation_relationship = OrganisationRelationship.find_by!(
+      parent_organisation: organisation,
+      child_organisation: @target_organisation,
+    )
+    authorize organisation_relationship
+  end

  def delete_managing_agent
    OrganisationRelationship.find_by!(
--- a/app/policies/organisation_relationship_policy.rb
+++ b/app/policies/organisation_relationship_policy.rb
@ -17,4 +17,8 @@ class OrganisationRelationshipPolicy
  def create_managing_agent?
    return true unless user.data_provider?
  end
+
+  def remove_managing_agent?
+    return true unless user.data_provider?
+  end
 end
--- a/spec/requests/organisation_relationships_controller_spec.rb
+++ b/spec/requests/organisation_relationships_controller_spec.rb
@ -318,21 +318,17 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
      end

      context "when directly removing a stock owner" do
-        let(:managing_agent) { FactoryBot.create(:organisation) }
-        let(:request) { get "/organisations/#{organisation.id}/stock-owners/remove?target_organisation_id=#{managing_agent.id}", headers: }
+        let(:stock_owner) { FactoryBot.create(:organisation) }
+        let(:request) { get "/organisations/#{organisation.id}/stock-owners/remove?target_organisation_id=#{stock_owner.id}", headers: }

        before do
-          FactoryBot.create(:organisation_relationship, parent_organisation: organisation, child_organisation: managing_agent)
+          FactoryBot.create(:organisation_relationship, parent_organisation: stock_owner, child_organisation: organisation)
        end

        it "returns 401 from users page" do
          request
          expect(response).to have_http_status(:unauthorized)
        end
-
-        it "does not remove the organisation relationship" do
-          expect { request }.not_to change(OrganisationRelationship, :count)
-        end
      end

      context "when directly adding a managing agent" do
@ -356,6 +352,20 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
        end
      end

+      context "when directly removing a managing agent" do
+        let(:managing_agent) { FactoryBot.create(:organisation) }
+        let(:request) { get "/organisations/#{organisation.id}/managing-agents/remove?target_organisation_id=#{managing_agent.id}", headers: }
+
+        before do
+          FactoryBot.create(:organisation_relationship, parent_organisation: organisation, child_organisation: managing_agent)
+        end
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+      end
+
      context "when accessing the managing agents tab" do
        context "with an organisation that the user belongs to" do
          let!(:managing_agent) { FactoryBot.create(:organisation) }