Add auth to the path

app/controllers/lettings_logs_controller.rb

@@ -90,6 +90,8 @@ class LettingsLogsController < LogsController
 
   def delete_duplicates
     @log = LettingsLog.visible.find(params[:lettings_log_id])
+    authorize @log
+
     @duplicate_logs = LettingsLog.duplicate_logs_for_organisation(current_user.organisation, @log)
     render "logs/delete_duplicates"
   end

app/policies/lettings_log_policy.rb

@@ -21,4 +21,8 @@ class LettingsLogPolicy
     # Data providers can only delete the log if it is assigned to them
     log.created_by == user
   end
+
+  def delete_duplicates?
+    user.support? || log.owning_organisation == user.organisation || log.managing_organisation == user.organisation
+  end
 end

spec/requests/lettings_logs_controller_spec.rb

@@ -1732,5 +1732,19 @@ RSpec.describe LettingsLogsController, type: :request do
         expect(response).to have_http_status(:not_found)
       end
     end
+
+    context "when user is not authorised" do
+      let(:other_user) { create(:user) }
+
+      before do
+        allow(other_user).to receive(:need_two_factor_authentication?).and_return(false)
+        sign_in other_user
+      end
+
+      it "returns 404" do
+        request
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
   end
 end