Fix admin permissions for finished budgets

Although we weren't showing links in the views to execute certain actions, forms could be still sent using a PUT/PATCH pull request to the controller actions.
2019-11-06 14:43:54 +01:00
parent 450c5feb5e
commit 6bbfb55586
6 changed files with 73 additions and 50 deletions
--- a/app/controllers/admin/budget_investments_controller.rb
+++ b/app/controllers/admin/budget_investments_controller.rb
@@ -31,6 +31,7 @@ class Admin::BudgetInvestmentsController < Admin::BaseController
  end

  def edit
+    authorize! :admin_update, @investment
    load_staff
    load_valuator_groups
    load_tags
@@ -52,6 +53,7 @@ class Admin::BudgetInvestmentsController < Admin::BaseController
  end

  def toggle_selection
+    authorize! :toggle_selection, @investment
    @investment.toggle :selected
    @investment.save!
    load_investments
--- a/app/models/abilities/administrator.rb
+++ b/app/models/abilities/administrator.rb
@@ -64,7 +64,9 @@ module Abilities
      can [:read, :create, :update, :destroy], Budget::Heading
      can [:hide, :admin_update, :toggle_selection], Budget::Investment
      can [:valuate, :comment_valuation], Budget::Investment
-      cannot [:comment_valuation], Budget::Investment, budget: { phase: "finished" }
+      cannot [:admin_update, :toggle_selection, :valuate, :comment_valuation],
+        Budget::Investment, budget: { phase: "finished" }
+
      can :create, Budget::ValuatorAssignment

      can :read_admin_stats, Budget, &:balloting_or_later?
--- a/app/views/admin/budget_investments/_select_investment.html.erb
+++ b/app/views/admin/budget_investments/_select_investment.html.erb
@@ -61,30 +61,34 @@

 <td id="selection" class="small text-center" data-field="selected">
  <% if investment.selected? %>
-      <%= link_to_unless investment.budget.finished?,
+      <%= link_to_if can?(:toggle_selection, investment),
                     t("admin.budget_investments.index.selected"),
-                         toggle_selection_admin_budget_budget_investment_path(@budget,
+                     toggle_selection_admin_budget_budget_investment_path(
+                       @budget,
                       investment,
                       filter: params[:filter],
                       sort_by: params[:sort_by],
                       min_total_supports: params[:min_total_supports],
                       max_total_supports: params[:max_total_supports],
                       advanced_filters: params[:advanced_filters],
-                                                                              page: params[:page]),
+                       page: params[:page]
+                     ),
                     method: :patch,
                     remote: true,
                     class: "button small expanded" %>
  <% elsif investment.feasible? && investment.valuation_finished? %>
-    <% unless investment.budget.finished? %>
+    <% if can?(:toggle_selection, investment) %>
      <%= link_to t("admin.budget_investments.index.select"),
-                  toggle_selection_admin_budget_budget_investment_path(@budget,
+                  toggle_selection_admin_budget_budget_investment_path(
+                    @budget,
                    investment,
                    filter: params[:filter],
                    sort_by: params[:sort_by],
                    min_total_supports: params[:min_total_supports],
                    max_total_supports: params[:max_total_supports],
                    advanced_filters: params[:advanced_filters],
-                                                                       page: params[:page]),
+                    page: params[:page]
+                  ),
                  method: :patch,
                  remote: true,
                  class: "button small hollow expanded" %>
--- a/app/views/admin/budget_investments/show.html.erb
+++ b/app/views/admin/budget_investments/show.html.erb
@@ -6,15 +6,17 @@
 <%= render "written_by_author" %>

 <h2 class="inline-block"><%= t("admin.budget_investments.show.preview") %></h2>
-<div class="float-right">
+<% if can?(:admin_update, @investment) %>
+  <div class="float-right">
    <%= link_to t("admin.budget_investments.show.edit"),
                edit_admin_budget_budget_investment_path(
                  @budget,
                  @investment,
                  Budget::Investment.filter_params(params).to_h
                ),
-              class: "button hollow" unless @budget.finished? %>
-</div>
+                class: "button hollow" %>
+  </div>
+<% end %>

 <hr>
 <%= render "/budgets/investments/investment_detail", investment: @investment, preview: true %>
@@ -50,19 +52,26 @@
  <% end %>
 </p>

-<p>
+<% if can?(:admin_update, @investment) %>
+  <p>
    <%= link_to t("admin.budget_investments.show.edit_classification"),
-                edit_admin_budget_budget_investment_path(@budget, @investment,
-                                                  { anchor: "classification" }.merge(Budget::Investment.filter_params(params).to_h)) unless @budget.finished? %>
-</p>
+                edit_admin_budget_budget_investment_path(
+                  @budget,
+                  @investment,
+                  { anchor: "classification" }.merge(Budget::Investment.filter_params(params).to_h)
+                ) %>
+  </p>
+<% end %>

 <hr>

 <h2><%= t("admin.budget_investments.show.dossier") %></h2>
 <%= render "valuation/budget_investments/dossier" %>
-<p>
-  <%= link_to t("admin.budget_investments.show.edit_dossier"), edit_valuation_budget_budget_investment_path(@budget, @investment) unless @budget.finished? %>
-</p>
+<% if can?(:valuate, @investment) %>
+  <p>
+    <%= link_to t("admin.budget_investments.show.edit_dossier"), edit_valuation_budget_budget_investment_path(@budget, @investment) %>
+  </p>
+<% end %>

 <%= render "valuation/budget_investments/valuation_comments" %>

--- a/app/views/valuation/budget_investments/show.html.erb
+++ b/app/views/valuation/budget_investments/show.html.erb
@@ -3,15 +3,17 @@
 <br>

 <h2 class="inline-block"><%= t("admin.budget_investments.show.preview") %></h2>
-<div class="float-right">
+<% if can?(:valuate, @investment) %>
+  <div class="float-right">
    <%= link_to t("admin.budget_investments.show.edit"),
                edit_valuation_budget_budget_investment_path(
                  @budget,
                  @investment,
                  Budget::Investment.filter_params(params)
                ),
-              class: "button hollow" unless @budget.finished? %>
-</div>
+                class: "button hollow" %>
+  </div>
+<% end %>

 <hr>
 <%= render "/budgets/investments/investment_detail", investment: @investment, preview: true %>
--- a/spec/models/abilities/administrator_spec.rb
+++ b/spec/models/abilities/administrator_spec.rb
@@ -15,6 +15,7 @@ describe Abilities::Administrator do
  let(:comment) { create(:comment) }
  let(:proposal) { create(:proposal, author: user) }
  let(:budget_investment) { create(:budget_investment) }
+  let(:finished_investment) { create(:budget_investment, budget: create(:budget, :finished)) }
  let(:legislation_question) { create(:legislation_question) }
  let(:poll_question) { create(:poll_question) }

@@ -77,7 +78,10 @@ describe Abilities::Administrator do
  it { should be_able_to(:hide, Budget::Investment) }

  it { should be_able_to(:valuate, create(:budget_investment, budget: create(:budget, :valuating))) }
-  it { should be_able_to(:valuate, create(:budget_investment, budget: create(:budget, :finished))) }
+  it { should_not be_able_to(:admin_update, finished_investment) }
+  it { should_not be_able_to(:valuate, finished_investment) }
+  it { should_not be_able_to(:comment_valuation, finished_investment) }
+  it { should_not be_able_to(:toggle_selection, finished_investment) }

  it { should be_able_to(:destroy, proposal_image) }
  it { should be_able_to(:destroy, proposal_document) }