returning not found if coordinator user tries to see unrelated scheme

3 years ago · 8d637e146d
2 changed files with 3 additions and 2 deletions
--- a/app/controllers/schemes_controller.rb
+++ b/app/controllers/schemes_controller.rb
@ -16,6 +16,7 @@ class SchemesController < ApplicationController

  def show
    @scheme = Scheme.find_by(id: params[:id])
+    render_not_found and return unless (current_user.organisation == @scheme.organisation) || current_user.support?
  end

 private
--- a/spec/requests/schemes_controller_spec.rb
+++ b/spec/requests/schemes_controller_spec.rb
@ -214,9 +214,9 @@ RSpec.describe SchemesController, type: :request do
      context "when coordinator attempts to see scheme belogning to a different organisation" do
        let!(:specific_scheme) { FactoryBot.create(:scheme) }

-        it "returns 401 unauthorized" do
+        it "returns 404 not found" do
          request
-          expect(response).to have_http_status(:unauthorized)
+          expect(response).to have_http_status(:not_found)
        end
      end
    end