From b7ed7563bd410fb3914e24b81f2d57d1ff1db062 Mon Sep 17 00:00:00 2001
From: Alex Kotov <kotovalexarian@gmail.com>
Date: Wed, 12 Dec 2018 07:19:51 +0500
Subject: [PATCH] Do not allow superuser to see membership app

---
 app/policies/membership_app_policy.rb      | 3 +--
 spec/requests/membership_apps/show_spec.rb | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/app/policies/membership_app_policy.rb b/app/policies/membership_app_policy.rb
index a3be3a1..120aeda 100644
--- a/app/policies/membership_app_policy.rb
+++ b/app/policies/membership_app_policy.rb
@@ -4,8 +4,7 @@ class MembershipAppPolicy < ApplicationPolicy
   def show?
     return false if context.guest_account.nil?
 
-    context.guest_account.is_superuser? ||
-      record.account == context.guest_account
+    record.account == context.guest_account
   end
 
   def create?
diff --git a/spec/requests/membership_apps/show_spec.rb b/spec/requests/membership_apps/show_spec.rb
index 6cc5557..0205f87 100644
--- a/spec/requests/membership_apps/show_spec.rb
+++ b/spec/requests/membership_apps/show_spec.rb
@@ -50,7 +50,7 @@ RSpec.describe 'GET /membership_apps/:id' do
     let(:current_account) { create :superuser_account }
 
     specify do
-      expect(response).to have_http_status :ok
+      expect(response).to have_http_status :unauthorized
     end
   end
 end