From 9f1de0fdaf806b81b52119ea671c73ef8067cf1f Mon Sep 17 00:00:00 2001
From: Manny Dinssa <44172848+Dinssa@users.noreply.github.com>
Date: Wed, 2 Oct 2024 12:13:25 +0100
Subject: [PATCH] Prevent downloading a bulk upload as a non-support user

---
 app/controllers/lettings_logs_controller.rb | 2 ++
 app/controllers/sales_logs_controller.rb    | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/app/controllers/lettings_logs_controller.rb b/app/controllers/lettings_logs_controller.rb
index 4cba65332..0194946d4 100644
--- a/app/controllers/lettings_logs_controller.rb
+++ b/app/controllers/lettings_logs_controller.rb
@@ -135,6 +135,8 @@ class LettingsLogsController < LogsController
   end
 
   def download_bulk_upload
+    return render_not_authorized unless current_user.support?
+
     bulk_upload = BulkUpload.find(params[:id])
     downloader = BulkUpload::Downloader.new(bulk_upload:)
 
diff --git a/app/controllers/sales_logs_controller.rb b/app/controllers/sales_logs_controller.rb
index f8648f3ee..d1bbe3bc2 100644
--- a/app/controllers/sales_logs_controller.rb
+++ b/app/controllers/sales_logs_controller.rb
@@ -105,6 +105,8 @@ class SalesLogsController < LogsController
   end
 
   def download_bulk_upload
+    return render_not_authorized unless current_user.support?
+
     bulk_upload = BulkUpload.find(params[:id])
     downloader = BulkUpload::Downloader.new(bulk_upload:)