No access to form pages for case logs that aren't owned or managed by your org

4 years ago · ff312bed32
2 changed files with 21 additions and 4 deletions
--- a/app/controllers/case_logs_controller.rb
+++ b/app/controllers/case_logs_controller.rb
@ -95,9 +95,13 @@ class CaseLogsController < ApplicationController
  form = FormHandler.instance.get_form("2021_2022")
  form.pages.map do |page|
    define_method(page.id) do |_errors = {}|
-      @case_log = CaseLog.find(params[:case_log_id])
-      subsection = form.subsection_for_page(page)
-      render "form/page", locals: { form: form, page: page, subsection: subsection.label }
+      @case_log = current_user.case_logs.find_by(id: params[:case_log_id])
+      if @case_log
+        subsection = form.subsection_for_page(page)
+        render "form/page", locals: { form: form, page: page, subsection: subsection.label }
+      else
+        render file: "#{Rails.root}/public/404.html", status: 404
+      end
    end
  end

--- a/spec/requests/case_log_controller_spec.rb
+++ b/spec/requests/case_log_controller_spec.rb
@ -172,7 +172,7 @@ RSpec.describe CaseLogsController, type: :request do
        end
      end

-      context "edit page" do
+      context "edit log" do
        let(:headers) { { "Accept" => "text/html" } }
        let(:form) { Form.new("spec/fixtures/forms/test_form.json") }
        before do
@ -202,6 +202,19 @@ RSpec.describe CaseLogsController, type: :request do
          end
        end
      end
+
+      context "form pages" do
+        context "case logs that are not owned or managed by your organisation" do
+          before do
+            sign_in user
+            get "/case_logs/#{unauthorized_case_log.id}/person_1_age", headers: headers, params: {}
+          end
+
+          it "does not show form pages for case logs you don't have access to" do
+            expect(response).to have_http_status(:not_found)
+          end
+        end
+      end
    end
  end