From 76e05d58b1fe05bde6abdb2f1083852f062fce04 Mon Sep 17 00:00:00 2001
From: Bertocq <bertocq@gmail.com>
Date: Mon, 8 Jan 2018 22:59:20 +0100
Subject: [PATCH] Return 404 status for non-published Budget access

Why:

Non-admin users shouldn't be able to access, or know of the existence
of a non-published Budget.

How:

Raising an ActionController::RoutingError (404 error) to simulate the
same behaviour as accesing a non-existing Budget.

We could have used CanCanCan abilities for this but then an user could
be aware of existing but not published Budgets by trying different urls
---
 app/controllers/budgets_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/controllers/budgets_controller.rb b/app/controllers/budgets_controller.rb
index 2a53c410b..4f215c46f 100644
--- a/app/controllers/budgets_controller.rb
+++ b/app/controllers/budgets_controller.rb
@@ -1,5 +1,6 @@
 class BudgetsController < ApplicationController
   include FeatureFlags
+  include BudgetsHelper
   feature_flag :budgets
 
   load_and_authorize_resource
@@ -9,6 +10,7 @@ class BudgetsController < ApplicationController
   respond_to :html, :js
 
   def show
+    raise ActionController::RoutingError, 'Not Found' unless budget_published?(@budget)
   end
 
   def index