Background
`spec/system/court_dates/view_spec.rb:70` has a disabled spec with an inline product-bug TODO:
```ruby
context "as a user from an organization not containing the court date" do
let(:other_organization) { create(:casa_org) }
xit "does not allow the user to view the court date" do
# TODO the app or browser can't gracefully handle the URL
sign_in create(:casa_admin, casa_org: other_organization)
visit casa_case_court_date_path(casa_case, court_date)
expect(page).to have_text \"Sorry, you are not authorized to perform this action.\"
end
end
```
The expected behavior: a CASA admin from a different org who visits a court date URL should get the Pundit "Sorry, you are not authorized" flash + redirect.
The actual behavior (per the TODO): "the app or browser can't gracefully handle the URL" — likely a raw 404, an exception, or a non-Pundit failure mode.
Why it matters
This is a multi-tenancy correctness bug. Same class of issue as #6894 / fe2cec1 (ContactTypeGroup cross-org leak). With `policy_scope` enforcement on `:index` actions now in place, the `:show` action for court dates needs equivalent handling.
Investigation steps
- Reproduce: as a casa_admin in Org A, try `/casa_cases/:id/court_dates/:id` for a court date in Org B. What happens today?
- Check `CourtDatePolicy` — is `show?` defined and scoped by `casa_org`?
- Check `CourtDatesController#show` — does the `find` happen scoped to `current_organization`, or is it a raw `CourtDate.find` that returns the cross-org record before Pundit can refuse?
- The fix is likely to scope the lookup (`current_organization.casa_cases.find(...).court_dates.find(...)`) so the authorization failure mode is consistent with what the spec expects.
Acceptance criteria
Background
`spec/system/court_dates/view_spec.rb:70` has a disabled spec with an inline product-bug TODO:
```ruby
context "as a user from an organization not containing the court date" do
let(:other_organization) { create(:casa_org) }
xit "does not allow the user to view the court date" do
# TODO the app or browser can't gracefully handle the URL
sign_in create(:casa_admin, casa_org: other_organization)
visit casa_case_court_date_path(casa_case, court_date)
end
end
```
The expected behavior: a CASA admin from a different org who visits a court date URL should get the Pundit "Sorry, you are not authorized" flash + redirect.
The actual behavior (per the TODO): "the app or browser can't gracefully handle the URL" — likely a raw 404, an exception, or a non-Pundit failure mode.
Why it matters
This is a multi-tenancy correctness bug. Same class of issue as #6894 / fe2cec1 (ContactTypeGroup cross-org leak). With `policy_scope` enforcement on `:index` actions now in place, the `:show` action for court dates needs equivalent handling.
Investigation steps
Acceptance criteria