Enforce required DFC permissions

engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb

@@ -3,12 +3,15 @@
 # Controller used to provide the API products for the DFC application
 module DfcProvider
   class ApplicationController < ActionController::Base
+    class Unauthorized < StandardError; end
+
     include ActiveStorage::SetCurrent
 
     protect_from_forgery with: :null_session
 
     rescue_from ActiveRecord::RecordNotFound, with: :not_found
     rescue_from CanCan::AccessDenied, with: :unauthorized
+    rescue_from Unauthorized, with: :unauthorized
 
     before_action :check_authorization
 
@@ -17,9 +20,10 @@ module DfcProvider
     private
 
     def require_permission(scope)
-      return true if current_user.is_a? Spree::User
+      return if current_user.is_a? Spree::User
+      return if current_user.permissions(scope).where(enterprise: current_enterprise).exists?
 
-      current_user.permissions(scope).where(enterprise: current_enterprise).exists?
+      raise Unauthorized
     end
 
     def check_authorization

engines/dfc_provider/spec/requests/catalog_items_spec.rb

@@ -102,11 +102,31 @@ RSpec.describe "CatalogItems", swagger_doc: "dfc.yaml" do
       end
 
       response "401", "unauthorized" do
-        let(:enterprise_id) { "default" }
+        context "as platform user" do
+          include_context "authenticated as platform"
 
-        before { login_as nil }
+          let(:enterprise_id) { 10_000 }
 
-        run_test!
+          before {
+            product
+
+            DfcPermission.create!(
+              user:, enterprise_id:,
+              scope: "ReadEnterprise", grantee: "cqcm-dev",
+            )
+            # But no ReadProducts permission.
+          }
+
+          run_test!
+        end
+
+        context "without authorisation" do
+          let(:enterprise_id) { "default" }
+
+          before { login_as nil }
+
+          run_test!
+        end
       end
     end
   end