diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb index 771d54688..cdaa155da 100644 --- a/app/controllers/case_logs_controller.rb +++ b/app/controllers/case_logs_controller.rb @@ -95,9 +95,13 @@ class CaseLogsController < ApplicationController form = FormHandler.instance.get_form("2021_2022") form.pages.map do |page| define_method(page.id) do |_errors = {}| - @case_log = CaseLog.find(params[:case_log_id]) - subsection = form.subsection_for_page(page) - render "form/page", locals: { form: form, page: page, subsection: subsection.label } + @case_log = current_user.case_logs.find_by(id: params[:case_log_id]) + if @case_log + subsection = form.subsection_for_page(page) + render "form/page", locals: { form: form, page: page, subsection: subsection.label } + else + render file: "#{Rails.root}/public/404.html", status: 404 + end end end diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb index 658148526..4fc35e6ad 100644 --- a/spec/requests/case_log_controller_spec.rb +++ b/spec/requests/case_log_controller_spec.rb @@ -172,7 +172,7 @@ RSpec.describe CaseLogsController, type: :request do end end - context "edit page" do + context "edit log" do let(:headers) { { "Accept" => "text/html" } } let(:form) { Form.new("spec/fixtures/forms/test_form.json") } before do @@ -202,6 +202,19 @@ RSpec.describe CaseLogsController, type: :request do end end end + + context "form pages" do + context "case logs that are not owned or managed by your organisation" do + before do + sign_in user + get "/case_logs/#{unauthorized_case_log.id}/person_1_age", headers: headers, params: {} + end + + it "does not show form pages for case logs you don't have access to" do + expect(response).to have_http_status(:not_found) + end + end + end end end