small refactoring of before actions and tests for 401 and 404

app/controllers/schemes_controller.rb

@@ -3,6 +3,7 @@ class SchemesController < ApplicationController
   include Modules::SearchFilter
 
   before_action :authenticate_user!
+  before_action :find_resource, except: %i[index]
   before_action :authenticate_scope!
 
   def index
@@ -16,7 +17,6 @@ class SchemesController < ApplicationController
 
   def show
     @scheme = Scheme.find_by(id: params[:id])
-    render_not_found and return unless (current_user.organisation == @scheme.organisation) || current_user.support?
   end
 
   def locations
@@ -31,7 +31,14 @@ private
     params["search"]
   end
 
+  def find_resource
+    @scheme = Scheme.find_by(id: params[:id])
+  end
+
   def authenticate_scope!
     head :unauthorized and return unless current_user.data_coordinator? || current_user.support?
+    if %w[show locations].include? action_name
+      render_not_found and return unless (current_user.organisation == @scheme.organisation) || current_user.support?
+    end
   end
 end

spec/requests/schemes_controller_spec.rb

@@ -281,6 +281,16 @@ RSpec.describe SchemesController, type: :request do
         get "/schemes/#{scheme.id}/locations"
       end
 
+      context "when coordinator attempts to see scheme belonging to a different organisation" do
+        let!(:specific_scheme) { FactoryBot.create(:scheme) }
+        let!(:locations) { FactoryBot.create(:location, scheme: specific_scheme) }
+
+        it "returns 404 not found" do
+          get "/schemes/#{specific_scheme.id}/locations"
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+
       it "shows scheme" do
         locations.each do |location|
           expect(page).to have_content(location.location_code)