Authorise add managing agent/stock owner pages

3 years ago · 8763a4d926
3 changed files with 28 additions and 10 deletions
--- a/app/controllers/organisation_relationships_controller.rb
+++ b/app/controllers/organisation_relationships_controller.rb
@ -33,10 +33,12 @@ class OrganisationRelationshipsController < ApplicationController
  def add_stock_owner
    @organisation_relationship = organisation.parent_organisation_relationships.new
    authorize @organisation_relationship
  end
  def add_managing_agent
    @organisation_relationship = organisation.child_organisation_relationships.new
    authorize @organisation_relationship
  end
  def create_stock_owner
--- a/app/policies/organisation_relationship_policy.rb
+++ b/app/policies/organisation_relationship_policy.rb
@ -6,6 +6,10 @@ class OrganisationRelationshipPolicy
    @organisation_relationship = organisation_relationship
  end
  def add_stock_owner?
    return true unless user.data_provider?
  end
  def create_stock_owner?
    return true unless user.data_provider?
  end
@ -14,6 +18,10 @@ class OrganisationRelationshipPolicy
    return true unless user.data_provider?
  end
  def add_managing_agent?
    return true unless user.data_provider?
  end
  def create_managing_agent?
    return true unless user.data_provider?
  end
--- a/spec/requests/organisation_relationships_controller_spec.rb
+++ b/spec/requests/organisation_relationships_controller_spec.rb
@ -296,6 +296,15 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
        end
      end
      context "when directly accessing the page to add a stock owner" do
        let(:request) { get "/organisations/#{organisation.id}/stock-owners/add", headers: }
        it "returns 401 from users page" do
          request
          expect(response).to have_http_status(:unauthorized)
        end
      end
      context "when directly adding a stock owner" do
        let!(:stock_owner) { FactoryBot.create(:organisation) }
        let(:params) do
@ -331,6 +340,15 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
        end
      end
      context "when directly accessing the page to add a managing agent" do
        let(:request) { get "/organisations/#{organisation.id}/managing-agents/add", headers: }
        it "returns 401 from users page" do
          request
          expect(response).to have_http_status(:unauthorized)
        end
      end
      context "when directly adding a managing agent" do
        let!(:managing_agent) { FactoryBot.create(:organisation) }
        let(:params) do
@ -403,16 +421,6 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
          end
        end
        context "when adding a managing agent" do
          before do
            get "/organisations/#{organisation.id}/managing-agents/add", headers:, params: {}
          end
          it "has the correct header" do
            expect(response.body).to include("What is the name of your managing agent?")
          end
        end
        context "with an organisation that are not in scope for the user, i.e. that they do not belong to" do
          before do
            get "/organisations/#{unauthorised_organisation.id}/managing-agents", headers:, params: {}