Allow only enterprise managers to connect apps

Otherwise it doesn't work because non-managers, like super admins, are not authorised to access enterprise data via the DFC API.
2026-02-24 01:13:21 +00:00 · 2024-05-23 13:43:24 +10:00
parent 36b1c2bd83
commit 4b4ae8c7ba
4 changed files with 18 additions and 1 deletions
--- a/app/helpers/admin/enterprises_helper.rb
+++ b/app/helpers/admin/enterprises_helper.rb
@@ -14,6 +14,10 @@ module Admin
      producers.size == 1 ? producers.first.id : nil
    end

+    def can_connect_apps?(enterprise)
+      enterprise.in?(spree_current_user.enterprises)
+    end
+
    def enterprise_side_menu_items(enterprise)
      is_shop = enterprise.sells != "none"
      show_properties = !!enterprise.is_primary_producer
--- a/app/views/admin/enterprises/form/_connected_apps.html.haml
+++ b/app/views/admin/enterprises/form/_connected_apps.html.haml
@@ -6,7 +6,9 @@
      %p= t ".tagline"
    %div
      - if enterprise.connected_apps.empty?
-        = button_to t(".enable"), admin_enterprise_connected_apps_path(enterprise.id), method: :post
+        = button_to t(".enable"), admin_enterprise_connected_apps_path(enterprise.id), method: :post, disabled: !can_connect_apps?(enterprise)
+        -# This is only seen by super-admins:
+        %em= t(".need_to_be_manager") unless can_connect_apps?(enterprise)
      - elsif enterprise.connected_apps.connecting.present?
        %button{ disabled: true }
          %i.spinner.fa.fa-spin.fa-circle-o-notch
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1353,6 +1353,7 @@ en:
          enable: "Allow data sharing"
          disable: "Stop sharing"
          loading: "Loading"
+          need_to_be_manager: "Only managers can connect apps."
          note: |
            Your Open Food Network account is connected to Discover Regenerative.
            Add or update information on your Discover Regenerative listing here.
--- a/spec/system/admin/enterprises/connected_apps_spec.rb
+++ b/spec/system/admin/enterprises/connected_apps_spec.rb
@@ -50,4 +50,14 @@ RSpec.describe "Connected Apps", feature: :connected_apps, vcr: true do
    expect(page).not_to have_content "account is connected"
    expect(page).not_to have_link "Manage listing"
  end
+
+  it "can't be enabled by non-manager" do
+    login_as create(:admin_user)
+
+    visit "#{edit_admin_enterprise_path(enterprise)}#/connected_apps_panel"
+    expect(page).to have_content "Discover Regenerative"
+
+    expect(page).to have_button("Allow data sharing", disabled: true)
+    expect(page).to have_content "Only managers can connect apps."
+  end
 end