From 4b4ae8c7ba3f823d68dd897a0eb8f864bf58cfb5 Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Thu, 23 May 2024 13:43:24 +1000
Subject: [PATCH] Allow only enterprise managers to connect apps

Otherwise it doesn't work because non-managers, like super admins, are
not authorised to access enterprise data via the DFC API.
---
 app/helpers/admin/enterprises_helper.rb                |  4 ++++
 .../admin/enterprises/form/_connected_apps.html.haml   |  4 +++-
 config/locales/en.yml                                  |  1 +
 spec/system/admin/enterprises/connected_apps_spec.rb   | 10 ++++++++++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/helpers/admin/enterprises_helper.rb b/app/helpers/admin/enterprises_helper.rb
index e78029c762..bf39ee199b 100644
--- a/app/helpers/admin/enterprises_helper.rb
+++ b/app/helpers/admin/enterprises_helper.rb
@@ -14,6 +14,10 @@ module Admin
       producers.size == 1 ? producers.first.id : nil
     end
 
+    def can_connect_apps?(enterprise)
+      enterprise.in?(spree_current_user.enterprises)
+    end
+
     def enterprise_side_menu_items(enterprise)
       is_shop = enterprise.sells != "none"
       show_properties = !!enterprise.is_primary_producer
diff --git a/app/views/admin/enterprises/form/_connected_apps.html.haml b/app/views/admin/enterprises/form/_connected_apps.html.haml
index b8e6be9fae..81dfb240a4 100644
--- a/app/views/admin/enterprises/form/_connected_apps.html.haml
+++ b/app/views/admin/enterprises/form/_connected_apps.html.haml
@@ -6,7 +6,9 @@
       %p= t ".tagline"
     %div
       - if enterprise.connected_apps.empty?
-        = button_to t(".enable"), admin_enterprise_connected_apps_path(enterprise.id), method: :post
+        = button_to t(".enable"), admin_enterprise_connected_apps_path(enterprise.id), method: :post, disabled: !can_connect_apps?(enterprise)
+        -# This is only seen by super-admins:
+        %em= t(".need_to_be_manager") unless can_connect_apps?(enterprise)
       - elsif enterprise.connected_apps.connecting.present?
         %button{ disabled: true }
           %i.spinner.fa.fa-spin.fa-circle-o-notch
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 78e9c8f25c..47b4b07814 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1353,6 +1353,7 @@ en:
           enable: "Allow data sharing"
           disable: "Stop sharing"
           loading: "Loading"
+          need_to_be_manager: "Only managers can connect apps."
           note: |
             Your Open Food Network account is connected to Discover Regenerative.
             Add or update information on your Discover Regenerative listing here.
diff --git a/spec/system/admin/enterprises/connected_apps_spec.rb b/spec/system/admin/enterprises/connected_apps_spec.rb
index 23bf8d4fe0..652982b0ed 100644
--- a/spec/system/admin/enterprises/connected_apps_spec.rb
+++ b/spec/system/admin/enterprises/connected_apps_spec.rb
@@ -50,4 +50,14 @@ RSpec.describe "Connected Apps", feature: :connected_apps, vcr: true do
     expect(page).not_to have_content "account is connected"
     expect(page).not_to have_link "Manage listing"
   end
+
+  it "can't be enabled by non-manager" do
+    login_as create(:admin_user)
+
+    visit "#{edit_admin_enterprise_path(enterprise)}#/connected_apps_panel"
+    expect(page).to have_content "Discover Regenerative"
+
+    expect(page).to have_button("Allow data sharing", disabled: true)
+    expect(page).to have_content "Only managers can connect apps."
+  end
 end