From 665bc1dcd2462bcc3b025ee55e7a4c28cc310660 Mon Sep 17 00:00:00 2001
From: 24c02 <163450896+24c02@users.noreply.github.com>
Date: Thu, 18 Dec 2025 17:11:39 -0500
Subject: [PATCH] disallow hq-usps-ops on payment accounts

---
 app/controllers/hcb/payment_accounts_controller.rb |  4 +++-
 app/models/hcb/payment_account.rb                  | 13 +++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/controllers/hcb/payment_accounts_controller.rb b/app/controllers/hcb/payment_accounts_controller.rb
index 11c8833..4d813c7 100644
--- a/app/controllers/hcb/payment_accounts_controller.rb
+++ b/app/controllers/hcb/payment_accounts_controller.rb
@@ -51,7 +51,9 @@ class HCB::PaymentAccountsController < ApplicationController
   end
 
   def available_organizations
-    current_user.hcb_oauth_connection.organizations
+    current_user.hcb_oauth_connection.organizations.reject do |org|
+      HCB::PaymentAccount::BLOCKED_ORGANIZATION_IDS.include?(org.id)
+    end
   rescue => e
     Rails.logger.error "Failed to fetch HCB organizations: #{e.message}"
     []
diff --git a/app/models/hcb/payment_account.rb b/app/models/hcb/payment_account.rb
index 5779b2e..6c251f6 100644
--- a/app/models/hcb/payment_account.rb
+++ b/app/models/hcb/payment_account.rb
@@ -24,8 +24,21 @@ class HCB::PaymentAccount < ApplicationRecord
   belongs_to :user
   belongs_to :oauth_connection, class_name: "HCB::OauthConnection", foreign_key: :hcb_oauth_connection_id
 
+  BLOCKED_ORGANIZATION_IDS = %w[hq-usps-ops].freeze
+
   validates :organization_id, presence: true, uniqueness: { scope: :user_id }
   validates :organization_name, presence: true
+  validate :organization_not_blocked
+
+  private
+
+  def organization_not_blocked
+    if BLOCKED_ORGANIZATION_IDS.include?(organization_id)
+      errors.add(:organization_id, "is not allowed for payment accounts")
+    end
+  end
+
+  public
 
   def self.theseus_client
     HCBV4::Client.from_credentials(