diff --git a/app/controllers/valuation/budget_investments_controller.rb b/app/controllers/valuation/budget_investments_controller.rb index 6fe23df54..f1ff5d834 100644 --- a/app/controllers/valuation/budget_investments_controller.rb +++ b/app/controllers/valuation/budget_investments_controller.rb @@ -4,9 +4,9 @@ class Valuation::BudgetInvestmentsController < Valuation::BaseController feature_flag :budgets + before_action :load_budget before_action :restrict_access_to_assigned_items, only: [:show, :edit, :valuate] before_action :restrict_access, only: [:edit, :valuate] - before_action :load_budget before_action :load_investment, only: [:show, :edit, :valuate] has_orders %w[oldest], only: [:show, :edit] @@ -110,7 +110,7 @@ class Valuation::BudgetInvestmentsController < Valuation::BaseController end def restrict_access - unless current_user.administrator? || current_budget.valuating? + unless current_user.administrator? || @budget.valuating? raise CanCan::AccessDenied, I18n.t("valuation.budget_investments.not_in_valuating_phase") end end diff --git a/spec/system/valuation/budget_investments_spec.rb b/spec/system/valuation/budget_investments_spec.rb index 69a5188d0..e02ea6b5d 100644 --- a/spec/system/valuation/budget_investments_spec.rb +++ b/spec/system/valuation/budget_investments_spec.rb @@ -501,6 +501,17 @@ describe "Valuation budget investments" do expect(page).to have_content("Investments can only be valuated when Budget is in valuating phase") end + scenario "restric access to the budget given by params when is not in valuating phase" do + budget.update!(phase: "publishing_prices") + create(:budget, :valuating) + investment = create(:budget_investment, budget: budget, valuators: [valuator]) + + login_as(valuator.user) + visit edit_valuation_budget_budget_investment_path(budget, investment) + + expect(page).to have_content("Investments can only be valuated when Budget is in valuating phase") + end + scenario "visible to admins regardless of not being in valuating phase" do budget.update!(phase: "publishing_prices")