From 53670602e06427075471fa9221849d286d159097 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Fri, 20 Sep 2019 12:39:33 +0200
Subject: [PATCH] Allow managers to read investment suggestions

When creating a budget investment with an unverified manager (for
example, a manager who isn't part of the local census), there's a
request to `Budgets::InvestmentsController#suggest`. Since the manager
isn't verified, suggestions can't be obtained.

There are serveral ways to fix this problem:

* Add a `suggest` action to Management::Budgets::InvestmentsController,
doing the same thing the main `suggest` action does.
* Give unverified users permission to access investment suggestions
* Give managers permission to access investment suggestions

I've chosen the last one because I thought it was simple and only
changed existing behaviour for managers, but any other solution would be
as valid. I haven't added the `phase: "accepting"` condition to keep it
simple, since a read-only action like this one in the management portal
isn't gonna create security risks.
---
 app/models/abilities/manager.rb               | 11 +++++++++
 app/models/ability.rb                         |  2 ++
 .../management/budget_investments_spec.rb     | 23 +++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 app/models/abilities/manager.rb

diff --git a/app/models/abilities/manager.rb b/app/models/abilities/manager.rb
new file mode 100644
index 000000000..221a49003
--- /dev/null
+++ b/app/models/abilities/manager.rb
@@ -0,0 +1,11 @@
+module Abilities
+  class Manager
+    include CanCan::Ability
+
+    def initialize(user)
+      merge Abilities::Common.new(user)
+
+      can :suggest, Budget::Investment
+    end
+  end
+end
diff --git a/app/models/ability.rb b/app/models/ability.rb
index fe02c57b6..dac06ea3f 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -14,6 +14,8 @@ class Ability
         merge Abilities::Administrator.new(user)
       elsif user.moderator?
         merge Abilities::Moderator.new(user)
+      elsif user.manager?
+        merge Abilities::Manager.new(user)
       else
         merge Abilities::Common.new(user)
       end
diff --git a/spec/features/management/budget_investments_spec.rb b/spec/features/management/budget_investments_spec.rb
index 9e53da5a3..d345af143 100644
--- a/spec/features/management/budget_investments_spec.rb
+++ b/spec/features/management/budget_investments_spec.rb
@@ -94,6 +94,29 @@ describe "Budget Investments" do
 
       expect(page).to have_content "User is not verified"
     end
+
+    scenario "Shows suggestions to unverified managers", :js do
+      expect(manager.user.level_two_or_three_verified?).to be false
+
+      create(:budget_investment, budget: budget, title: "More parks")
+      create(:budget_investment, budget: budget, title: "No more parks")
+      create(:budget_investment, budget: budget, title: "Plant trees")
+      login_managed_user(create(:user, :level_two))
+
+      click_link "Create budget investment"
+      within "#budget_#{budget.id}" do
+        click_link "Create budget investment"
+      end
+
+      fill_in "Title", with: "Park"
+      fill_in_ckeditor "Description", with: "Wish I had one"
+
+      within(".js-suggest") do
+        expect(page).to have_content "More parks"
+        expect(page).to have_content "No more parks"
+        expect(page).not_to have_content "Plant trees"
+      end
+    end
   end
 
   context "Searching" do