consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use abilities to allow toggling investment selection

Browse Source 
We were checking it in the view, meaning that it was possible to toggle
the selection by sending a custom request even when the investment
wasn't feasible.
This commit is contained in:
Javi Martín
2021-08-21 00:49:16 +02:00
parent 95f36ed52f
commit cf0d8258ed
4 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/components/admin/budget_investments/toggle_selection_component.html.erb
View File

@@ -1,4 +1,4 @@
<% if can?(:toggle_selection, investment) && investment.feasible? && investment.valuation_finished? %> <% if can?(:toggle_selection, investment) %>
<%= link_to text, path, method: :patch, remote: true, class: html_class %> <%= link_to text, path, method: :patch, remote: true, class: html_class %>
<% elsif selected? %> <% elsif selected? %>
<%= selected_text %> <%= selected_text %>

7
app/models/abilities/administrator.rb
View File

@@ -71,10 +71,13 @@ module Abilities
can [:read, :create, :update, :destroy], Budget::Group can [:read, :create, :update, :destroy], Budget::Group
can [:read, :create, :update, :destroy], Budget::Heading can [:read, :create, :update, :destroy], Budget::Heading
can [:hide, :admin_update, :toggle_selection], Budget::Investment can [:hide, :admin_update], Budget::Investment
can [:valuate, :comment_valuation], Budget::Investment can [:valuate, :comment_valuation], Budget::Investment
cannot [:admin_update, :toggle_selection, :valuate, :comment_valuation], cannot [:admin_update, :valuate, :comment_valuation],
Budget::Investment, budget: { phase: "finished" } Budget::Investment, budget: { phase: "finished" }
can :toggle_selection, Budget::Investment do |investment|
investment.feasible? && investment.valuation_finished? && !investment.budget.finished?
end
can :create, Budget::ValuatorAssignment can :create, Budget::ValuatorAssignment

15
spec/controllers/admin/budget_investments_controller_spec.rb
View File

@@ -37,4 +37,19 @@ describe Admin::BudgetInvestmentsController, :admin do
expect(response).not_to be_redirect expect(response).not_to be_redirect
end end
end end
describe "PATCH toggle selection" do
it "uses the toggle_selection authorization rules" do
investment = create(:budget_investment)
patch :toggle_selection, xhr: true, params: {
id: investment,
budget_id: investment.budget,
}
expect(flash[:alert]).to eq "You do not have permission to carry out the action " \
"'toggle_selection' on Investment."
expect(investment).not_to be_selected
end
end
end end

4
spec/models/abilities/administrator_spec.rb
View File

@@ -115,6 +115,10 @@ describe Abilities::Administrator do
it { should_not be_able_to(:admin_update, finished_investment) } it { should_not be_able_to(:admin_update, finished_investment) }
it { should_not be_able_to(:valuate, finished_investment) } it { should_not be_able_to(:valuate, finished_investment) }
it { should_not be_able_to(:comment_valuation, finished_investment) } it { should_not be_able_to(:comment_valuation, finished_investment) }
it { should be_able_to(:toggle_selection, create(:budget_investment, :feasible, :finished)) }
it { should_not be_able_to(:toggle_selection, create(:budget_investment, :feasible, :open)) }
it { should_not be_able_to(:toggle_selection, create(:budget_investment, :unfeasible, :finished)) }
it { should_not be_able_to(:toggle_selection, finished_investment) } it { should_not be_able_to(:toggle_selection, finished_investment) }
it { should be_able_to(:destroy, proposal_image) } it { should be_able_to(:destroy, proposal_image) }