From a85daf47732d45a351ca43cc5fcfa78b58b41ddc Mon Sep 17 00:00:00 2001
From: JG <moarpheus@gmail.com>
Date: Wed, 15 Jun 2022 12:20:02 +0100
Subject: [PATCH] small refactoring of before actions and tests for 401 and 404

---
 app/controllers/schemes_controller.rb    |  9 ++++++++-
 spec/requests/schemes_controller_spec.rb | 10 ++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/controllers/schemes_controller.rb b/app/controllers/schemes_controller.rb
index 3173746b6..22d1aa247 100644
--- a/app/controllers/schemes_controller.rb
+++ b/app/controllers/schemes_controller.rb
@@ -3,6 +3,7 @@ class SchemesController < ApplicationController
   include Modules::SearchFilter
 
   before_action :authenticate_user!
+  before_action :find_resource, except: %i[index]
   before_action :authenticate_scope!
 
   def index
@@ -16,7 +17,6 @@ class SchemesController < ApplicationController
 
   def show
     @scheme = Scheme.find_by(id: params[:id])
-    render_not_found and return unless (current_user.organisation == @scheme.organisation) || current_user.support?
   end
 
   def locations
@@ -31,7 +31,14 @@ private
     params["search"]
   end
 
+  def find_resource
+    @scheme = Scheme.find_by(id: params[:id])
+  end
+
   def authenticate_scope!
     head :unauthorized and return unless current_user.data_coordinator? || current_user.support?
+    if %w[show locations].include? action_name
+      render_not_found and return unless (current_user.organisation == @scheme.organisation) || current_user.support?
+    end
   end
 end
diff --git a/spec/requests/schemes_controller_spec.rb b/spec/requests/schemes_controller_spec.rb
index d8fa10741..e32acc908 100644
--- a/spec/requests/schemes_controller_spec.rb
+++ b/spec/requests/schemes_controller_spec.rb
@@ -281,6 +281,16 @@ RSpec.describe SchemesController, type: :request do
         get "/schemes/#{scheme.id}/locations"
       end
 
+      context "when coordinator attempts to see scheme belonging to a different organisation" do
+        let!(:specific_scheme) { FactoryBot.create(:scheme) }
+        let!(:locations) { FactoryBot.create(:location, scheme: specific_scheme) }
+
+        it "returns 404 not found" do
+          get "/schemes/#{specific_scheme.id}/locations"
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+
       it "shows scheme" do
         locations.each do |location|
           expect(page).to have_content(location.location_code)