From 715a8f421a358a662faa033a3fdf9153d0b993a4 Mon Sep 17 00:00:00 2001
From: Ahmed Ejaz <chahmedejaz9050@gmail.com>
Date: Sat, 21 Mar 2026 03:38:38 +0500
Subject: [PATCH] 14081: fix permission issue for deleting manager

---
 app/models/spree/ability.rb           |  4 +++
 spec/system/admin/enterprises_spec.rb | 41 +++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/app/models/spree/ability.rb b/app/models/spree/ability.rb
index c8e4e19831..f94e511337 100644
--- a/app/models/spree/ability.rb
+++ b/app/models/spree/ability.rb
@@ -197,6 +197,10 @@ module Spree
       can [:admin, :index, :destroy], :oidc_setting
 
       can [:admin, :create], Voucher
+
+      can [:admin, :destroy], EnterpriseRole do |enterprise_role|
+        enterprise_role.enterprise.owner_id == user.id
+      end
     end
 
     def add_product_management_abilities(user)
diff --git a/spec/system/admin/enterprises_spec.rb b/spec/system/admin/enterprises_spec.rb
index 2b7e598a4e..892068d8f7 100644
--- a/spec/system/admin/enterprises_spec.rb
+++ b/spec/system/admin/enterprises_spec.rb
@@ -885,6 +885,47 @@ RSpec.describe '
         end
       end
     end
+
+    describe "removing enterprise managers" do
+      let(:existing_user) { create(:user) }
+
+      before do
+        distributor1.users << existing_user
+        login_as logged_in_user
+        visit edit_admin_enterprise_path(distributor1)
+        scroll_to(:bottom)
+        within ".side_menu" do
+          find(:link, "Users").trigger("click")
+        end
+      end
+
+      context "as the enterprise owner" do
+        let(:logged_in_user) { distributor1.owner }
+
+        it 'removes the manager as enterprise owner' do
+          expect(page).to have_content existing_user.email
+
+          within "#manager-#{existing_user.id}" do
+            accept_confirm do
+              page.find("a.icon-trash").click
+            end
+          end
+
+          expect(page).not_to have_content existing_user.email
+        end
+      end
+
+      context "as the enterprise manager" do
+        let(:logged_in_user) { existing_user }
+
+        it "is unable delete any other manager" do
+          expect(page).to have_content existing_user.email
+          within('.edit_enterprise') do
+            expect(page).not_to have_selector('a.icon-trash')
+          end
+        end
+      end
+    end
   end
 
   context "changing package" do