Do not allow adding managing agents as data providers

app/controllers/organisation_relationships_controller.rb

@@ -53,6 +53,7 @@ class OrganisationRelationshipsController < ApplicationController
 
   def create_managing_agent
     @organisation_relationship = organisation.child_organisation_relationships.new(organisation_relationship_params)
+    authorize @organisation_relationship
     if @organisation_relationship.save
       flash[:notice] = "#{@organisation_relationship.child_organisation.name} is now one of #{current_user.data_coordinator? ? 'your' : "this organisation's"} managing agents"
       redirect_to managing_agents_organisation_path

app/policies/organisation_relationship_policy.rb

@@ -13,4 +13,8 @@ class OrganisationRelationshipPolicy
   def remove_stock_owner?
     return true unless user.data_provider?
   end
+
+  def create_managing_agent?
+    return true unless user.data_provider?
+  end
 end

spec/requests/organisation_relationships_controller_spec.rb

@@ -335,6 +335,27 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
         end
       end
 
+      context "when directly adding a managing agent" do
+        let!(:managing_agent) { FactoryBot.create(:organisation) }
+        let(:params) do
+          {
+            "organisation_relationship": {
+              "child_organisation_id": managing_agent.id,
+            },
+          }
+        end
+        let(:request) { post "/organisations/#{organisation.id}/managing-agents", headers:, params: }
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+
+        it "does not create a new organisation relationship" do
+          expect { request }.not_to change(OrganisationRelationship, :count)
+        end
+      end
+
       context "when accessing the managing agents tab" do
         context "with an organisation that the user belongs to" do
           let!(:managing_agent) { FactoryBot.create(:organisation) }