From df3a11588ca6734bc78c8622ed9c04f21582e736 Mon Sep 17 00:00:00 2001
From: Kat <katrina@kosiak.co.uk>
Date: Tue, 27 Jun 2023 13:55:55 +0100
Subject: [PATCH] Do not allow adding managing agents as data providers

---
 .../organisation_relationships_controller.rb  |  1 +
 .../organisation_relationship_policy.rb       |  4 ++++
 ...anisation_relationships_controller_spec.rb | 21 +++++++++++++++++++
 3 files changed, 26 insertions(+)

diff --git a/app/controllers/organisation_relationships_controller.rb b/app/controllers/organisation_relationships_controller.rb
index 8f65485c3..9573a5dfb 100644
--- a/app/controllers/organisation_relationships_controller.rb
+++ b/app/controllers/organisation_relationships_controller.rb
@@ -53,6 +53,7 @@ class OrganisationRelationshipsController < ApplicationController
 
   def create_managing_agent
     @organisation_relationship = organisation.child_organisation_relationships.new(organisation_relationship_params)
+    authorize @organisation_relationship
     if @organisation_relationship.save
       flash[:notice] = "#{@organisation_relationship.child_organisation.name} is now one of #{current_user.data_coordinator? ? 'your' : "this organisation's"} managing agents"
       redirect_to managing_agents_organisation_path
diff --git a/app/policies/organisation_relationship_policy.rb b/app/policies/organisation_relationship_policy.rb
index f2d1b1666..79540f20d 100644
--- a/app/policies/organisation_relationship_policy.rb
+++ b/app/policies/organisation_relationship_policy.rb
@@ -13,4 +13,8 @@ class OrganisationRelationshipPolicy
   def remove_stock_owner?
     return true unless user.data_provider?
   end
+
+  def create_managing_agent?
+    return true unless user.data_provider?
+  end
 end
diff --git a/spec/requests/organisation_relationships_controller_spec.rb b/spec/requests/organisation_relationships_controller_spec.rb
index 0938c848b..be366a7c7 100644
--- a/spec/requests/organisation_relationships_controller_spec.rb
+++ b/spec/requests/organisation_relationships_controller_spec.rb
@@ -335,6 +335,27 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
         end
       end
 
+      context "when directly adding a managing agent" do
+        let!(:managing_agent) { FactoryBot.create(:organisation) }
+        let(:params) do
+          {
+            "organisation_relationship": {
+              "child_organisation_id": managing_agent.id,
+            },
+          }
+        end
+        let(:request) { post "/organisations/#{organisation.id}/managing-agents", headers:, params: }
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+
+        it "does not create a new organisation relationship" do
+          expect { request }.not_to change(OrganisationRelationship, :count)
+        end
+      end
+
       context "when accessing the managing agents tab" do
         context "with an organisation that the user belongs to" do
           let!(:managing_agent) { FactoryBot.create(:organisation) }