From 8763a4d926bc63828e38439fb113e9170f7e4452 Mon Sep 17 00:00:00 2001 From: Kat Date: Tue, 27 Jun 2023 15:23:04 +0100 Subject: [PATCH] Authorise add managing agent/stock owner pages --- .../organisation_relationships_controller.rb | 2 ++ .../organisation_relationship_policy.rb | 8 ++++++ ...anisation_relationships_controller_spec.rb | 28 ++++++++++++------- 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/app/controllers/organisation_relationships_controller.rb b/app/controllers/organisation_relationships_controller.rb index 443d4a505..0ac66bd31 100644 --- a/app/controllers/organisation_relationships_controller.rb +++ b/app/controllers/organisation_relationships_controller.rb @@ -33,10 +33,12 @@ class OrganisationRelationshipsController < ApplicationController def add_stock_owner @organisation_relationship = organisation.parent_organisation_relationships.new + authorize @organisation_relationship end def add_managing_agent @organisation_relationship = organisation.child_organisation_relationships.new + authorize @organisation_relationship end def create_stock_owner diff --git a/app/policies/organisation_relationship_policy.rb b/app/policies/organisation_relationship_policy.rb index 4ed5b7222..5f25ea6c8 100644 --- a/app/policies/organisation_relationship_policy.rb +++ b/app/policies/organisation_relationship_policy.rb @@ -6,6 +6,10 @@ class OrganisationRelationshipPolicy @organisation_relationship = organisation_relationship end + def add_stock_owner? + return true unless user.data_provider? + end + def create_stock_owner? return true unless user.data_provider? end @@ -14,6 +18,10 @@ class OrganisationRelationshipPolicy return true unless user.data_provider? end + def add_managing_agent? + return true unless user.data_provider? + end + def create_managing_agent? return true unless user.data_provider? end diff --git a/spec/requests/organisation_relationships_controller_spec.rb b/spec/requests/organisation_relationships_controller_spec.rb index a5e5f8a08..c9865f624 100644 --- a/spec/requests/organisation_relationships_controller_spec.rb +++ b/spec/requests/organisation_relationships_controller_spec.rb @@ -296,6 +296,15 @@ RSpec.describe OrganisationRelationshipsController, type: :request do end end + context "when directly accessing the page to add a stock owner" do + let(:request) { get "/organisations/#{organisation.id}/stock-owners/add", headers: } + + it "returns 401 from users page" do + request + expect(response).to have_http_status(:unauthorized) + end + end + context "when directly adding a stock owner" do let!(:stock_owner) { FactoryBot.create(:organisation) } let(:params) do @@ -331,6 +340,15 @@ RSpec.describe OrganisationRelationshipsController, type: :request do end end + context "when directly accessing the page to add a managing agent" do + let(:request) { get "/organisations/#{organisation.id}/managing-agents/add", headers: } + + it "returns 401 from users page" do + request + expect(response).to have_http_status(:unauthorized) + end + end + context "when directly adding a managing agent" do let!(:managing_agent) { FactoryBot.create(:organisation) } let(:params) do @@ -403,16 +421,6 @@ RSpec.describe OrganisationRelationshipsController, type: :request do end end - context "when adding a managing agent" do - before do - get "/organisations/#{organisation.id}/managing-agents/add", headers:, params: {} - end - - it "has the correct header" do - expect(response.body).to include("What is the name of your managing agent?") - end - end - context "with an organisation that are not in scope for the user, i.e. that they do not belong to" do before do get "/organisations/#{unauthorised_organisation.id}/managing-agents", headers:, params: {}