From fcffcbbc0d83f8e342b575ae9e782e1cee83c8e5 Mon Sep 17 00:00:00 2001
From: baarkerlounger <db@slothlife.xyz>
Date: Mon, 29 Nov 2021 17:01:28 +0000
Subject: [PATCH] Check answers access

---
 app/controllers/case_logs_controller.rb   | 12 ++++++++----
 spec/requests/case_log_controller_spec.rb | 17 +++++++++++++++++
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb
index cdaa155da..18e9050c3 100644
--- a/app/controllers/case_logs_controller.rb
+++ b/app/controllers/case_logs_controller.rb
@@ -86,10 +86,14 @@ class CaseLogsController < ApplicationController
 
   def check_answers
     form = FormHandler.instance.get_form("2021_2022")
-    @case_log = CaseLog.find(params[:case_log_id])
-    current_url = request.env["PATH_INFO"]
-    subsection = form.get_subsection(current_url.split("/")[-2])
-    render "form/check_answers", locals: { subsection: subsection, form: form }
+    @case_log = current_user.case_logs.find_by(id: params[:case_log_id])
+    if @case_log
+      current_url = request.env["PATH_INFO"]
+      subsection = form.get_subsection(current_url.split("/")[-2])
+      render "form/check_answers", locals: { subsection: subsection, form: form }
+    else
+      render file: "#{Rails.root}/public/404.html", status: 404
+    end
   end
 
   form = FormHandler.instance.get_form("2021_2022")
diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb
index 4fc35e6ad..d8d52f61e 100644
--- a/spec/requests/case_log_controller_spec.rb
+++ b/spec/requests/case_log_controller_spec.rb
@@ -204,6 +204,8 @@ RSpec.describe CaseLogsController, type: :request do
       end
 
       context "form pages" do
+        let(:headers) { { "Accept" => "text/html" } }
+
         context "case logs that are not owned or managed by your organisation" do
           before do
             sign_in user
@@ -215,6 +217,21 @@ RSpec.describe CaseLogsController, type: :request do
           end
         end
       end
+
+      context "check answers pages" do
+        let(:headers) { { "Accept" => "text/html" } }
+
+        context "case logs that are not owned or managed by your organisation" do
+          before do
+            sign_in user
+            get "/case_logs/#{unauthorized_case_log.id}/household_characteristics/check_answers", headers: headers, params: {}
+          end
+
+          it "does not show a check answers for case logs you don't have access to" do
+            expect(response).to have_http_status(:not_found)
+          end
+        end
+      end
     end
   end