Don't allow users who voted in a booth to vote via web

For the longest time, we've disabled the buttons to vote via web when
people had already voted in a booth. However, we were still allowing
HTTP requests to the actions to vote via web.

So we're adding a condition to prevent it.

The reason why we're changing the controller instead of the abilities
model (which is what we usually do) is that there might be side-effects
to the change. For instance, in the `Polls::PollComponent` class,
there's an `elsif cannot?(:answer, poll)` condition which would have a
different behavior if we changed the abilities model.

app/controllers/polls_controller.rb

@@ -23,6 +23,8 @@ class PollsController < ApplicationController
   end
 
   def answer
+    raise CanCan::AccessDenied if @poll.voted_in_booth?(current_user)
+
     @web_vote = Poll::WebVote.new(@poll, current_user)
 
     if @web_vote.update(answer_params)

spec/controllers/polls_controller_spec.rb

@@ -28,5 +28,18 @@ describe PollsController do
 
       expect(Poll::Answer.count).to eq 1
     end
+
+    it "denies access when users have already voted in a booth" do
+      poll = create(:poll)
+      user = create(:user, :level_two)
+      create(:poll_voter, :from_booth, poll: poll, user: user)
+
+      sign_in(user)
+
+      post :answer, params: { id: poll.id, web_vote: {}}
+
+      expect(response).to redirect_to "/"
+      expect(flash[:alert]).to eq "You do not have permission to access this page."
+    end
   end
 end