From 6e489d7770b6c43a31e7eccd307be4b087b289a6 Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Fri, 22 Aug 2025 16:46:59 +1000
Subject: [PATCH] Enforce required DFC permissions

---
 .../dfc_provider/application_controller.rb    |  8 ++++--
 .../spec/requests/catalog_items_spec.rb       | 26 ++++++++++++++++---
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb b/engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb
index 8b5a239eb1..d88823b2f2 100644
--- a/engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb
+++ b/engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb
@@ -3,12 +3,15 @@
 # Controller used to provide the API products for the DFC application
 module DfcProvider
   class ApplicationController < ActionController::Base
+    class Unauthorized < StandardError; end
+
     include ActiveStorage::SetCurrent
 
     protect_from_forgery with: :null_session
 
     rescue_from ActiveRecord::RecordNotFound, with: :not_found
     rescue_from CanCan::AccessDenied, with: :unauthorized
+    rescue_from Unauthorized, with: :unauthorized
 
     before_action :check_authorization
 
@@ -17,9 +20,10 @@ module DfcProvider
     private
 
     def require_permission(scope)
-      return true if current_user.is_a? Spree::User
+      return if current_user.is_a? Spree::User
+      return if current_user.permissions(scope).where(enterprise: current_enterprise).exists?
 
-      current_user.permissions(scope).where(enterprise: current_enterprise).exists?
+      raise Unauthorized
     end
 
     def check_authorization
diff --git a/engines/dfc_provider/spec/requests/catalog_items_spec.rb b/engines/dfc_provider/spec/requests/catalog_items_spec.rb
index d7d8f58330..d037fa7faa 100644
--- a/engines/dfc_provider/spec/requests/catalog_items_spec.rb
+++ b/engines/dfc_provider/spec/requests/catalog_items_spec.rb
@@ -102,11 +102,31 @@ RSpec.describe "CatalogItems", swagger_doc: "dfc.yaml" do
       end
 
       response "401", "unauthorized" do
-        let(:enterprise_id) { "default" }
+        context "as platform user" do
+          include_context "authenticated as platform"
 
-        before { login_as nil }
+          let(:enterprise_id) { 10_000 }
 
-        run_test!
+          before {
+            product
+
+            DfcPermission.create!(
+              user:, enterprise_id:,
+              scope: "ReadEnterprise", grantee: "cqcm-dev",
+            )
+            # But no ReadProducts permission.
+          }
+
+          run_test!
+        end
+
+        context "without authorisation" do
+          let(:enterprise_id) { "default" }
+
+          before { login_as nil }
+
+          run_test!
+        end
       end
     end
   end