More tests for access

spec/requests/case_log_controller_spec.rb

@@ -180,6 +180,14 @@ RSpec.describe CaseLogsController, type: :request do
           allow(FormHandler.instance).to receive(:get_form).and_return(form)
         end
 
+        context "a user that is not signed in" do
+          it "does not let you get case log tasklist pages you don't have access to" do
+            get "/case-logs/#{case_log.id}", headers: headers, params: {}
+            expect(response).to redirect_to("/users/sign-in")
+          end
+        end
+
+        context "a signed in user" do
           context "case logs that are owned or managed by your organisation" do
             before do
               sign_in user
@@ -233,6 +241,7 @@ RSpec.describe CaseLogsController, type: :request do
         end
       end
     end
+  end
 
   describe "PATCH" do
     let(:case_log) do

spec/requests/form_controller_spec.rb

@@ -20,6 +20,24 @@ RSpec.describe FormController, type: :request do
   end
   let(:headers) { { "Accept" => "text/html" } }
 
+  context "a not signed in user" do
+    it "does not let you get case logs pages you don't have access to" do
+      get "/case-logs/#{case_log.id}/person-1-age", headers: headers, params: {}
+      expect(response).to redirect_to("/users/sign-in")
+    end
+
+    it "does not let you get case log check answer pages you don't have access to" do
+      get "/case-logs/#{case_log.id}/household-characteristics/check-answers", headers: headers, params: {}
+      expect(response).to redirect_to("/users/sign-in")
+    end
+
+    it "does not let you post form answers to case logs you don't have access to" do
+      post "/case-logs/#{case_log.id}/form", params: {}
+      expect(response).to redirect_to("/users/sign-in")
+    end
+  end
+
+  context "a signed in user" do
     before do
       sign_in user
     end
@@ -253,3 +271,4 @@ RSpec.describe FormController, type: :request do
       end
     end
   end
+end