From abd442d92042573beb9bf704b89f1716d147c49d Mon Sep 17 00:00:00 2001
From: Phil Lee <asmega@users.noreply.github.com>
Date: Wed, 5 Apr 2023 11:21:39 +0100
Subject: [PATCH] form controller ignores hidden logs

---
 app/controllers/form_controller.rb    |  8 ++++----
 spec/requests/form_controller_spec.rb | 17 +++++++++++++++++
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/app/controllers/form_controller.rb b/app/controllers/form_controller.rb
index 92b62a511..43a805d9f 100644
--- a/app/controllers/form_controller.rb
+++ b/app/controllers/form_controller.rb
@@ -108,17 +108,17 @@ private
 
   def find_resource
     @log = if params.key?("sales_log")
-             current_user.sales_logs.find_by(id: params[:id])
+             current_user.sales_logs.visible.find_by(id: params[:id])
            else
-             current_user.lettings_logs.find_by(id: params[:id])
+             current_user.lettings_logs.visible.find_by(id: params[:id])
            end
   end
 
   def find_resource_by_named_id
     @log = if params[:sales_log_id].present?
-             current_user.sales_logs.find_by(id: params[:sales_log_id])
+             current_user.sales_logs.visible.find_by(id: params[:sales_log_id])
            else
-             current_user.lettings_logs.find_by(id: params[:lettings_log_id])
+             current_user.lettings_logs.visible.find_by(id: params[:lettings_log_id])
            end
   end
 
diff --git a/spec/requests/form_controller_spec.rb b/spec/requests/form_controller_spec.rb
index 9787ce097..eb47fdb87 100644
--- a/spec/requests/form_controller_spec.rb
+++ b/spec/requests/form_controller_spec.rb
@@ -321,6 +321,23 @@ RSpec.describe FormController, type: :request do
           get "/sales-logs/#{log.id}/review", headers: headers, params: { sales_log: true }
           expect(response.body).to match("Review sales log")
         end
+
+        context "when log is pending" do
+          let(:pending_log) do
+            create(
+              :lettings_log,
+              owning_organisation: organisation,
+              created_by: user,
+              status: "pending",
+              skip_update_status: true,
+            )
+          end
+
+          it "does not render pending log and returns 404" do
+            get "/lettings-logs/#{pending_log.id}/review", headers: headers, params: {}
+            expect(response).to be_not_found
+          end
+        end
       end
 
       context "when viewing a user dependent page" do