From 1037014c6bfcb4a2327d3d96c22b4ca18a03e101 Mon Sep 17 00:00:00 2001
From: Kat <katrina@kosiak.co.uk>
Date: Wed, 5 Jul 2023 12:57:22 +0100
Subject: [PATCH] Add auth to the path

---
 app/controllers/lettings_logs_controller.rb    |  2 ++
 app/policies/lettings_log_policy.rb            |  4 ++++
 spec/requests/lettings_logs_controller_spec.rb | 14 ++++++++++++++
 3 files changed, 20 insertions(+)

diff --git a/app/controllers/lettings_logs_controller.rb b/app/controllers/lettings_logs_controller.rb
index a98dbccba..2089b4aad 100644
--- a/app/controllers/lettings_logs_controller.rb
+++ b/app/controllers/lettings_logs_controller.rb
@@ -90,6 +90,8 @@ class LettingsLogsController < LogsController
 
   def delete_duplicates
     @log = LettingsLog.visible.find(params[:lettings_log_id])
+    authorize @log
+
     @duplicate_logs = LettingsLog.duplicate_logs_for_organisation(current_user.organisation, @log)
     render "logs/delete_duplicates"
   end
diff --git a/app/policies/lettings_log_policy.rb b/app/policies/lettings_log_policy.rb
index d9ac8a845..cd81c184d 100644
--- a/app/policies/lettings_log_policy.rb
+++ b/app/policies/lettings_log_policy.rb
@@ -21,4 +21,8 @@ class LettingsLogPolicy
     # Data providers can only delete the log if it is assigned to them
     log.created_by == user
   end
+
+  def delete_duplicates?
+    user.support? || log.owning_organisation == user.organisation || log.managing_organisation == user.organisation
+  end
 end
diff --git a/spec/requests/lettings_logs_controller_spec.rb b/spec/requests/lettings_logs_controller_spec.rb
index c1c7ebbcf..87750294d 100644
--- a/spec/requests/lettings_logs_controller_spec.rb
+++ b/spec/requests/lettings_logs_controller_spec.rb
@@ -1732,5 +1732,19 @@ RSpec.describe LettingsLogsController, type: :request do
         expect(response).to have_http_status(:not_found)
       end
     end
+
+    context "when user is not authorised" do
+      let(:other_user) { create(:user) }
+
+      before do
+        allow(other_user).to receive(:need_two_factor_authentication?).and_return(false)
+        sign_in other_user
+      end
+
+      it "returns 404" do
+        request
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
   end
 end