Enterprise user can only add order cycle exchanges where it manages the participant enterprise

lib/open_food_network/order_cycle_form_applicator.rb

@@ -58,14 +58,18 @@ module OpenFoodNetwork
 
     def add_exchange(sender_id, receiver_id, incoming, attrs={})
       attrs = attrs.reverse_merge(:sender_id => sender_id, :receiver_id => receiver_id, :incoming => incoming)
-      exchange = @order_cycle.exchanges.create! attrs
-      @touched_exchanges << exchange
+      exchange = @order_cycle.exchanges.build attrs
+
+      if permission_for exchange
+        exchange.save!
+        @touched_exchanges << exchange
+      end
     end
 
     def update_exchange(sender_id, receiver_id, incoming, attrs={})
       exchange = @order_cycle.exchanges.where(:sender_id => sender_id, :receiver_id => receiver_id, :incoming => incoming).first
 
-      if permission_for(exchange)
+      if permission_for exchange
         exchange.update_attributes!(attrs)
         @touched_exchanges << exchange
       end

spec/lib/open_food_network/order_cycle_form_applicator_spec.rb

@@ -232,6 +232,19 @@ module OpenFoodNetwork
         applicator.send(:touched_exchanges).should == [exchange]
       end
 
+      it "does not add exchanges it is not permitted to touch" do
+        sender = FactoryGirl.create(:enterprise)
+        receiver = FactoryGirl.create(:enterprise)
+        oc = FactoryGirl.create(:simple_order_cycle)
+        applicator = OrderCycleFormApplicator.new(oc, [])
+        incoming = true
+
+        expect do
+          applicator.send(:touched_exchanges=, [])
+          applicator.send(:add_exchange, sender.id, receiver.id, incoming)
+        end.to change(Exchange, :count).by(0)
+      end
+
       it "does not update exchanges it is not permitted to touch" do
         sender = FactoryGirl.create(:enterprise)
         receiver = FactoryGirl.create(:enterprise)