From 8d637e146d9ac2e5a688ef33b504fa1b57a5998e Mon Sep 17 00:00:00 2001
From: JG <moarpheus@gmail.com>
Date: Tue, 14 Jun 2022 08:57:00 +0100
Subject: [PATCH] returning not found if coordinator user tries to see
 unrelated scheme

---
 app/controllers/schemes_controller.rb    | 1 +
 spec/requests/schemes_controller_spec.rb | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/controllers/schemes_controller.rb b/app/controllers/schemes_controller.rb
index 616659935..d9dccab5d 100644
--- a/app/controllers/schemes_controller.rb
+++ b/app/controllers/schemes_controller.rb
@@ -16,6 +16,7 @@ class SchemesController < ApplicationController
 
   def show
     @scheme = Scheme.find_by(id: params[:id])
+    render_not_found and return unless (current_user.organisation == @scheme.organisation) || current_user.support?
   end
 
 private
diff --git a/spec/requests/schemes_controller_spec.rb b/spec/requests/schemes_controller_spec.rb
index e4f17022c..add918717 100644
--- a/spec/requests/schemes_controller_spec.rb
+++ b/spec/requests/schemes_controller_spec.rb
@@ -214,9 +214,9 @@ RSpec.describe SchemesController, type: :request do
       context "when coordinator attempts to see scheme belogning to a different organisation" do
         let!(:specific_scheme) { FactoryBot.create(:scheme) }
 
-        it "returns 401 unauthorized" do
+        it "returns 404 not found" do
           request
-          expect(response).to have_http_status(:unauthorized)
+          expect(response).to have_http_status(:not_found)
         end
       end
     end