scoping out all but support and coord users

app/controllers/schemes_controller.rb

@@ -3,6 +3,7 @@ class SchemesController < ApplicationController
   include Modules::SearchFilter
 
   before_action :authenticate_user!
+  before_action :authenticate_scope!
 
   def index
     all_schemes = Scheme.all
@@ -17,4 +18,8 @@ class SchemesController < ApplicationController
   def search_term
     params["search"]
   end
+
+  def authenticate_scope!
+    head :unauthorized and return unless current_user.data_coordinator? || current_user.support?
+  end
 end

spec/requests/schemes_controller_spec.rb

@@ -15,6 +15,20 @@ RSpec.describe SchemesController, type: :request do
       end
     end
 
+    context "when signed in as a data provider user" do
+      let(:user) { FactoryBot.create(:user) }
+
+      before do
+        sign_in user
+        get "/supported-housing"
+      end
+
+      it "returns 401 unauthorized" do
+        request
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
     context "when signed in as a support user" do
       before do
         allow(user).to receive(:need_two_factor_authentication?).and_return(false)