Do not allow removing stock owners as data providers

app/controllers/organisation_relationships_controller.rb

@@ -62,7 +62,13 @@ class OrganisationRelationshipsController < ApplicationController
     end
   end
 
-  def remove_stock_owner; end
+  def remove_stock_owner
+    organisation_relationship = OrganisationRelationship.find_by!(
+      parent_organisation: organisation,
+      child_organisation: @target_organisation,
+    )
+    authorize organisation_relationship
+  end
 
   def delete_stock_owner
     OrganisationRelationship.find_by!(

app/policies/organisation_relationship_policy.rb

@@ -9,4 +9,8 @@ class OrganisationRelationshipPolicy
   def create_stock_owner?
     return true unless user.data_provider?
   end
+
+  def remove_stock_owner?
+    return true unless user.data_provider?
+  end
 end

spec/requests/organisation_relationships_controller_spec.rb

@@ -317,6 +317,24 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
         end
       end
 
+      context "when directly removing a stock owner" do
+        let(:managing_agent) { FactoryBot.create(:organisation) }
+        let(:request) { get "/organisations/#{organisation.id}/stock-owners/remove?target_organisation_id=#{managing_agent.id}", headers: }
+
+        before do
+          FactoryBot.create(:organisation_relationship, parent_organisation: organisation, child_organisation: managing_agent)
+        end
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+
+        it "does not remove the organisation relationship" do
+          expect { request }.not_to change(OrganisationRelationship, :count)
+        end
+      end
+
       context "when accessing the managing agents tab" do
         context "with an organisation that the user belongs to" do
           let!(:managing_agent) { FactoryBot.create(:organisation) }