Add more specs, fix code

app/policies/membership_application_policy.rb

@@ -2,7 +2,10 @@
 
 class MembershipApplicationPolicy < ApplicationPolicy
   def show?
-    record.account.in? [context.account, context.guest_account]
+    return false if context.guest_account.nil?
+
+    context.guest_account.is_superuser? ||
+      record.account == context.guest_account
   end
 
   def create?

factories/accounts.rb

@@ -6,4 +6,10 @@ FactoryBot.define do
   factory :account_with_user, parent: :empty_account do
     association :user
   end
+
+  factory :superuser_account, parent: :account_with_user do
+    after :create do |account, _evaluator|
+      account.add_role :superuser
+    end
+  end
 end

spec/requests/membership_applications/show_spec.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'GET /membership_applications/:id' do
+  let :membership_application do
+    create :membership_application, account: owner
+  end
+
+  let(:owner) { create :account_with_user }
+
+  before do
+    sign_in current_account&.user if current_account&.user
+    get "/membership_applications/#{membership_application.id}"
+  end
+
+  context 'when owner is authenticated' do
+    let(:current_account) { owner }
+
+    specify do
+      expect(response).to have_http_status :ok
+    end
+  end
+
+  context 'when no account is authenticated' do
+    let(:current_account) { nil }
+
+    specify do
+      expect(response).to have_http_status :unauthorized
+    end
+  end
+
+  context 'when unauthorized account is authenticated' do
+    let(:current_account) { create :account_with_user }
+
+    specify do
+      expect(response).to have_http_status :unauthorized
+    end
+  end
+
+  context 'when superuser account is authenticated' do
+    let(:current_account) { create :superuser_account }
+
+    specify do
+      expect(response).to have_http_status :ok
+    end
+  end
+end