ministryofjustice · jsugarman · Nov 22, 2024
diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb
@@ -45,7 +45,7 @@ def status_for(error_name)
   def supported_errors
     {
       page_not_found: :not_found,
-      access_denied: :ok,
+      access_denied: :forbidden,
       assessment_already_completed: :ok,
       internal_server_error: :internal_server_error,
     }

diff --git a/spec/requests/errors_controller_spec.rb b/spec/requests/errors_controller_spec.rb
@@ -57,7 +57,7 @@
     let(:get_invalid_id) { get feedback_path(SecureRandom.uuid) }
 
     before do
-      allow(Feedback).to receive(:find).and_raise { ArgumentError.new("dummy arg to emulate 500 internal server error") }
+      allow(Feedback).to receive(:find).and_raise { ArgumentError.new("dummy error to emulate 500 internal server error") }
     end
 
     context "with default locale" do
@@ -81,6 +81,27 @@
     end
   end
 
+  context "when access denied/403 due to attempt to access another providers application" do
+    let(:not_their_application) { create(:legal_aid_application, provider: create(:provider)) }
+    let(:get_unauthorized) { get providers_legal_aid_application_previous_references_path(not_their_application) }
+
+    before do
+      sign_in create(:provider)
+      get_unauthorized
+      follow_redirect! # required because currently handled via a redirect
+    end
+
+    context "with default locale" do
+      it "responds with expected http status" do
+        expect(response).to have_http_status(:forbidden)
+      end
+
+      it "renders access denied" do
+        expect(response).to render_template("errors/show/_access_denied")
+      end
+    end
+  end
+
   describe "GET /error/page_not_found" do
     subject(:get_error) { get error_path(:page_not_found) }
 
@@ -141,9 +162,9 @@
   describe "GET /error/access_denied" do
     subject(:get_error) { get error_path(:access_denied) }
 
-    it "responds with ok/200 status" do
+    it "responds with forbidden/403 status" do
       get_error
-      expect(response).to have_http_status(:ok)
+      expect(response).to have_http_status(:forbidden)
     end
 
     it "renders assessment_already_completed" do