From c1fb6893c5175d74c074f6f786d504c8bc610d57 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Wed, 7 Jan 2026 14:15:14 +0100
Subject: [PATCH] Merge commit from fork

---
 .../severed_relationships_controller.rb       |  2 +-
 spec/requests/severed_relationships_spec.rb   | 27 +++++++++++++++++--
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/app/controllers/severed_relationships_controller.rb b/app/controllers/severed_relationships_controller.rb
index 817abebf6..9371ebf7d 100644
--- a/app/controllers/severed_relationships_controller.rb
+++ b/app/controllers/severed_relationships_controller.rb
@@ -26,7 +26,7 @@ class SeveredRelationshipsController < ApplicationController
   private
 
   def set_event
-    @event = AccountRelationshipSeveranceEvent.find(params[:id])
+    @event = AccountRelationshipSeveranceEvent.where(account: current_account).find(params[:id])
   end
 
   def following_data
diff --git a/spec/requests/severed_relationships_spec.rb b/spec/requests/severed_relationships_spec.rb
index ac98ab8f9..e0116120c 100644
--- a/spec/requests/severed_relationships_spec.rb
+++ b/spec/requests/severed_relationships_spec.rb
@@ -3,9 +3,10 @@
 require 'rails_helper'
 
 RSpec.describe 'Severed Relationships' do
-  let(:account_rs_event) { Fabricate :account_relationship_severance_event }
+  let(:account_rs_event) { Fabricate(:account_relationship_severance_event) }
+  let(:user) { account_rs_event.account.user }
 
-  before { sign_in Fabricate(:user) }
+  before { sign_in user }
 
   describe 'GET /severed_relationships/:id/following' do
     it 'returns a CSV file with correct data' do
@@ -22,6 +23,17 @@ RSpec.describe 'Severed Relationships' do
       expect(response.body)
         .to include('Account address')
     end
+
+    context 'when the user is not the subject of the event' do
+      let(:user) { Fabricate(:user) }
+
+      it 'returns a 404' do
+        get following_severed_relationship_path(account_rs_event, format: :csv)
+
+        expect(response)
+          .to have_http_status(404)
+      end
+    end
   end
 
   describe 'GET /severed_relationships/:id/followers' do
@@ -39,5 +51,16 @@ RSpec.describe 'Severed Relationships' do
       expect(response.body)
         .to include('Account address')
     end
+
+    context 'when the user is not the subject of the event' do
+      let(:user) { Fabricate(:user) }
+
+      it 'returns a 404' do
+        get followers_severed_relationship_path(account_rs_event, format: :csv)
+
+        expect(response)
+          .to have_http_status(404)
+      end
+    end
   end
 end