From 67b25f5b2436c1de1fad051ce6b8fd03a119f855 Mon Sep 17 00:00:00 2001
From: JG <moarpheus@gmail.com>
Date: Thu, 9 Jun 2022 14:28:50 +0100
Subject: [PATCH] scoping out all but support and coord users

---
 app/controllers/schemes_controller.rb    |  5 +++++
 spec/requests/schemes_controller_spec.rb | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/app/controllers/schemes_controller.rb b/app/controllers/schemes_controller.rb
index 6ac53036d..cb18b8400 100644
--- a/app/controllers/schemes_controller.rb
+++ b/app/controllers/schemes_controller.rb
@@ -3,6 +3,7 @@ class SchemesController < ApplicationController
   include Modules::SearchFilter
 
   before_action :authenticate_user!
+  before_action :authenticate_scope!
 
   def index
     all_schemes = Scheme.all
@@ -17,4 +18,8 @@ class SchemesController < ApplicationController
   def search_term
     params["search"]
   end
+
+  def authenticate_scope!
+    head :unauthorized and return unless current_user.data_coordinator? || current_user.support?
+  end
 end
diff --git a/spec/requests/schemes_controller_spec.rb b/spec/requests/schemes_controller_spec.rb
index 74ffd5fcf..ad62f4a5e 100644
--- a/spec/requests/schemes_controller_spec.rb
+++ b/spec/requests/schemes_controller_spec.rb
@@ -15,6 +15,20 @@ RSpec.describe SchemesController, type: :request do
       end
     end
 
+    context "when signed in as a data provider user" do
+      let(:user) { FactoryBot.create(:user) }
+
+      before do
+        sign_in user
+        get "/supported-housing"
+      end
+
+      it "returns 401 unauthorized" do
+        request
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
     context "when signed in as a support user" do
       before do
         allow(user).to receive(:need_two_factor_authentication?).and_return(false)