From f2d9c1e55b6127d0e340b9eac279d7e870c43554 Mon Sep 17 00:00:00 2001
From: Kat <katrina@kosiak.co.uk>
Date: Tue, 27 Jun 2023 13:47:34 +0100
Subject: [PATCH] Do not allow removing stock owners as data providers

---
 .../organisation_relationships_controller.rb   |  8 +++++++-
 .../organisation_relationship_policy.rb        |  4 ++++
 ...ganisation_relationships_controller_spec.rb | 18 ++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/app/controllers/organisation_relationships_controller.rb b/app/controllers/organisation_relationships_controller.rb
index c0ea020b0..8f65485c3 100644
--- a/app/controllers/organisation_relationships_controller.rb
+++ b/app/controllers/organisation_relationships_controller.rb
@@ -62,7 +62,13 @@ class OrganisationRelationshipsController < ApplicationController
     end
   end
 
-  def remove_stock_owner; end
+  def remove_stock_owner
+    organisation_relationship = OrganisationRelationship.find_by!(
+      parent_organisation: organisation,
+      child_organisation: @target_organisation,
+    )
+    authorize organisation_relationship
+  end
 
   def delete_stock_owner
     OrganisationRelationship.find_by!(
diff --git a/app/policies/organisation_relationship_policy.rb b/app/policies/organisation_relationship_policy.rb
index 1a9902be9..f2d1b1666 100644
--- a/app/policies/organisation_relationship_policy.rb
+++ b/app/policies/organisation_relationship_policy.rb
@@ -9,4 +9,8 @@ class OrganisationRelationshipPolicy
   def create_stock_owner?
     return true unless user.data_provider?
   end
+
+  def remove_stock_owner?
+    return true unless user.data_provider?
+  end
 end
diff --git a/spec/requests/organisation_relationships_controller_spec.rb b/spec/requests/organisation_relationships_controller_spec.rb
index 36e957c58..0938c848b 100644
--- a/spec/requests/organisation_relationships_controller_spec.rb
+++ b/spec/requests/organisation_relationships_controller_spec.rb
@@ -317,6 +317,24 @@ RSpec.describe OrganisationRelationshipsController, type: :request do
         end
       end
 
+      context "when directly removing a stock owner" do
+        let(:managing_agent) { FactoryBot.create(:organisation) }
+        let(:request) { get "/organisations/#{organisation.id}/stock-owners/remove?target_organisation_id=#{managing_agent.id}", headers: }
+
+        before do
+          FactoryBot.create(:organisation_relationship, parent_organisation: organisation, child_organisation: managing_agent)
+        end
+
+        it "returns 401 from users page" do
+          request
+          expect(response).to have_http_status(:unauthorized)
+        end
+
+        it "does not remove the organisation relationship" do
+          expect { request }.not_to change(OrganisationRelationship, :count)
+        end
+      end
+
       context "when accessing the managing agents tab" do
         context "with an organisation that the user belongs to" do
           let!(:managing_agent) { FactoryBot.create(:organisation) }