Authorise add managing agent/stock owner pages

3 years ago · 8763a4d926
3 changed files with 28 additions and 10 deletions
--- a/app/controllers/organisation_relationships_controller.rb
+++ b/app/controllers/organisation_relationships_controller.rb
@ -33,10 +33,12 @@ class OrganisationRelationshipsController < ApplicationController

  def add_stock_owner
    @organisation_relationship = organisation.parent_organisation_relationships.new
+    authorize @organisation_relationship
  end

  def add_managing_agent
    @organisation_relationship = organisation.child_organisation_relationships.new
+    authorize @organisation_relationship
  end

  def create_stock_owner
--- a/app/policies/organisation_relationship_policy.rb
+++ b/app/policies/organisation_relationship_policy.rb
@ -6,6 +6,10 @@ class OrganisationRelationshipPolicy
    @organisation_relationship = organisation_relationship
  end

+  def add_stock_owner?
+    return true unless user.data_provider?
+  end
+
  def create_stock_owner?
    return true unless user.data_provider?
  end
@ -14,6 +18,10 @@ class OrganisationRelationshipPolicy
    return true unless user.data_provider?
  end

+  def add_managing_agent?
+    return true unless user.data_provider?
+  end
+
  def create_managing_agent?
    return true unless user.data_provider?
  end
--- a/spec/requests/organisation_relationships_controller_spec.rb
+++ b/spec/requests/organisation_relationships_controller_spec.rb
@ -296,6 +296,15 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
        end
      end

+      context "when directly accessing the page to add a stock owner" do
+        let(:request) { get "/organisations/#{organisation.id}/stock-owners/add", headers: }
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+      end
+
      context "when directly adding a stock owner" do
        let!(:stock_owner) { FactoryBot.create(:organisation) }
        let(:params) do
@ -331,6 +340,15 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
        end
      end

+      context "when directly accessing the page to add a managing agent" do
+        let(:request) { get "/organisations/#{organisation.id}/managing-agents/add", headers: }
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+      end
+
      context "when directly adding a managing agent" do
        let!(:managing_agent) { FactoryBot.create(:organisation) }
        let(:params) do
@ -403,16 +421,6 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
          end
        end

-        context "when adding a managing agent" do
-          before do
-            get "/organisations/#{organisation.id}/managing-agents/add", headers:, params: {}
-          end
-
-          it "has the correct header" do
-            expect(response.body).to include("What is the name of your managing agent?")
-          end
-        end
-
        context "with an organisation that are not in scope for the user, i.e. that they do not belong to" do
          before do
            get "/organisations/#{unauthorised_organisation.id}/managing-agents", headers:, params: {}