diff --git a/app/controllers/form_controller.rb b/app/controllers/form_controller.rb index 92b62a511..43a805d9f 100644 --- a/app/controllers/form_controller.rb +++ b/app/controllers/form_controller.rb @@ -108,17 +108,17 @@ private def find_resource @log = if params.key?("sales_log") - current_user.sales_logs.find_by(id: params[:id]) + current_user.sales_logs.visible.find_by(id: params[:id]) else - current_user.lettings_logs.find_by(id: params[:id]) + current_user.lettings_logs.visible.find_by(id: params[:id]) end end def find_resource_by_named_id @log = if params[:sales_log_id].present? - current_user.sales_logs.find_by(id: params[:sales_log_id]) + current_user.sales_logs.visible.find_by(id: params[:sales_log_id]) else - current_user.lettings_logs.find_by(id: params[:lettings_log_id]) + current_user.lettings_logs.visible.find_by(id: params[:lettings_log_id]) end end diff --git a/spec/requests/form_controller_spec.rb b/spec/requests/form_controller_spec.rb index 9787ce097..eb47fdb87 100644 --- a/spec/requests/form_controller_spec.rb +++ b/spec/requests/form_controller_spec.rb @@ -321,6 +321,23 @@ RSpec.describe FormController, type: :request do get "/sales-logs/#{log.id}/review", headers: headers, params: { sales_log: true } expect(response.body).to match("Review sales log") end + + context "when log is pending" do + let(:pending_log) do + create( + :lettings_log, + owning_organisation: organisation, + created_by: user, + status: "pending", + skip_update_status: true, + ) + end + + it "does not render pending log and returns 404" do + get "/lettings-logs/#{pending_log.id}/review", headers: headers, params: {} + expect(response).to be_not_found + end + end end context "when viewing a user dependent page" do