Restrict access to the "new" direct message action

This way only verified users will be able to access this page, which
shows the username of the receiver of the direct message. With this,
it's no longer possible for unverified users to browse direct message
URLs in order to collect usernames from every user.

app/controllers/direct_messages_controller.rb

@@ -1,8 +1,12 @@
 class DirectMessagesController < ApplicationController
+  before_action :authenticate_user!
   load_and_authorize_resource :user, instance_name: :receiver
-  load_and_authorize_resource through: :receiver, through_association: :direct_messages_received
+  load_resource through: :receiver, through_association: :direct_messages_received
+  authorize_resource except: :new
 
   def new
+    authorize! :new, @direct_message, message: t("users.direct_messages.new.verified_only",
+                                                 verify_account: helpers.link_to_verify_account)
   end
 
   def create

app/models/abilities/everyone.rb

@@ -18,7 +18,6 @@ module Abilities
       can :read_results, Budget, id: Budget.finished.results_enabled.ids
       can :read_stats, Budget, id: Budget.valuating_or_later.stats_enabled.ids
       can :read_executions, Budget, phase: "finished"
-      can :new, DirectMessage
       can [:read, :debate, :draft_publication, :allegations, :result_publication,
            :proposals, :milestones], Legislation::Process, published: true
       can :summary, Legislation::Process,

app/views/direct_messages/new.html.erb

@@ -6,21 +6,7 @@
       <%= t("users.direct_messages.new.title", receiver: @receiver.name) %>
     </h1>
 
-    <% if not current_user %>
+    <% if @receiver.email_on_direct_message? %>
-      <div class="callout primary">
-        <p>
-          <%= sanitize(t("users.login_to_continue",
-                         signin: link_to_signin,
-                         signup: link_to_signup)) %>
-        </p>
-      </div>
-    <% elsif not @receiver.email_on_direct_message? %>
-      <div class="callout primary">
-        <p>
-          <%= t("users.direct_messages.new.direct_messages_bloqued") %>
-        </p>
-      </div>
-    <% elsif can? :create, @direct_message %>
       <%= form_for [@receiver, @direct_message] do |f| %>
         <%= render "shared/errors", resource: @direct_message %>
 
@@ -32,10 +18,9 @@
         </div>
       <% end %>
     <% else %>
-      <div class="callout warning">
+      <div class="callout primary">
         <p>
-          <%= sanitize(t("users.direct_messages.new.verified_only",
+          <%= t("users.direct_messages.new.direct_messages_bloqued") %>
-                         verify_account: link_to_verify_account)) %>
         </p>
       </div>
     <% end %>

spec/models/abilities/common_spec.rb

@@ -92,7 +92,7 @@ describe Abilities::Common do
   it { should_not be_able_to(:comment_as_administrator, proposal) }
   it { should_not be_able_to(:comment_as_moderator, proposal)     }
 
-  it { should     be_able_to(:new,    DirectMessage) }
+  it { should_not be_able_to(:new,    DirectMessage) }
   it { should_not be_able_to(:create, DirectMessage) }
   it { should_not be_able_to(:show,   DirectMessage) }
 

spec/system/direct_messages_spec.rb

@@ -54,7 +54,7 @@ describe "Direct messages" do
       visit new_user_direct_message_path(receiver)
 
       expect(page).to have_content "To send a private message verify your account"
-      expect(page).not_to have_link "Send private message"
+      expect(page).to have_current_path root_path
     end
 
     scenario "User not logged in" do
@@ -62,8 +62,8 @@ describe "Direct messages" do
 
       visit new_user_direct_message_path(receiver)
 
-      expect(page).to have_content "You must sign in or sign up to continue."
+      expect(page).to have_content "You must sign in or register to continue."
-      expect(page).not_to have_link "Send private message"
+      expect(page).to have_current_path new_user_session_path
     end
 
     scenario "Accessing form directly" do