From 987c31bd281971b2b343ad1d690f8992d9ddff96 Mon Sep 17 00:00:00 2001
From: Arthur Campbell <arfa.camble@gmail.com>
Date: Mon, 6 Mar 2023 14:24:35 +0000
Subject: [PATCH] ensure that non support users may not download codes only
 exports

---
 app/controllers/lettings_logs_controller.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/controllers/lettings_logs_controller.rb b/app/controllers/lettings_logs_controller.rb
index 1dc157086..e07878b0b 100644
--- a/app/controllers/lettings_logs_controller.rb
+++ b/app/controllers/lettings_logs_controller.rb
@@ -2,10 +2,16 @@ class LettingsLogsController < LogsController
   before_action :find_resource, except: %i[create index edit]
   before_action :session_filters, if: :current_user, only: %i[index email_csv download_csv]
   before_action :set_session_filters, if: :current_user, only: %i[index email_csv download_csv]
+  before_action :authenticate_scope!, only: %i[download_csv email_csv]
 
   before_action :extract_bulk_upload_from_session_filters, only: [:index]
   before_action :redirect_if_bulk_upload_resolved, only: [:index]
 
+  def authenticate_scope!
+    codes_only_export = codes_only_export?(params)
+    head :unauthorized and return unless current_user.support? || !codes_only_export
+  end
+
   def index
     respond_to do |format|
       format.html do