Check answers access

app/controllers/case_logs_controller.rb

@@ -86,10 +86,14 @@ class CaseLogsController < ApplicationController
 
   def check_answers
     form = FormHandler.instance.get_form("2021_2022")
-    @case_log = CaseLog.find(params[:case_log_id])
+    @case_log = current_user.case_logs.find_by(id: params[:case_log_id])
+    if @case_log
       current_url = request.env["PATH_INFO"]
       subsection = form.get_subsection(current_url.split("/")[-2])
       render "form/check_answers", locals: { subsection: subsection, form: form }
+    else
+      render file: "#{Rails.root}/public/404.html", status: 404
+    end
   end
 
   form = FormHandler.instance.get_form("2021_2022")

spec/requests/case_log_controller_spec.rb

@@ -204,6 +204,8 @@ RSpec.describe CaseLogsController, type: :request do
       end
 
       context "form pages" do
+        let(:headers) { { "Accept" => "text/html" } }
+
         context "case logs that are not owned or managed by your organisation" do
           before do
             sign_in user
@@ -215,6 +217,21 @@ RSpec.describe CaseLogsController, type: :request do
           end
         end
       end
+
+      context "check answers pages" do
+        let(:headers) { { "Accept" => "text/html" } }
+
+        context "case logs that are not owned or managed by your organisation" do
+          before do
+            sign_in user
+            get "/case_logs/#{unauthorized_case_log.id}/household_characteristics/check_answers", headers: headers, params: {}
+          end
+
+          it "does not show a check answers for case logs you don't have access to" do
+            expect(response).to have_http_status(:not_found)
+          end
+        end
+      end
     end
   end