Use abilities to allow toggling investment selection

We were checking it in the view, meaning that it was possible to toggle the selection by sending a custom request even when the investment wasn't feasible.
2021-08-21 00:49:16 +02:00
parent 95f36ed52f
commit cf0d8258ed
4 changed files with 25 additions and 3 deletions
--- a/app/components/admin/budget_investments/toggle_selection_component.html.erb
+++ b/app/components/admin/budget_investments/toggle_selection_component.html.erb
@@ -1,4 +1,4 @@
-<% if can?(:toggle_selection, investment) && investment.feasible? && investment.valuation_finished? %>
+<% if can?(:toggle_selection, investment) %>
  <%= link_to text, path, method: :patch, remote: true, class: html_class %>
 <% elsif selected? %>
  <%= selected_text %>
--- a/app/models/abilities/administrator.rb
+++ b/app/models/abilities/administrator.rb
@@ -71,10 +71,13 @@ module Abilities

      can [:read, :create, :update, :destroy], Budget::Group
      can [:read, :create, :update, :destroy], Budget::Heading
-      can [:hide, :admin_update, :toggle_selection], Budget::Investment
+      can [:hide, :admin_update], Budget::Investment
      can [:valuate, :comment_valuation], Budget::Investment
-      cannot [:admin_update, :toggle_selection, :valuate, :comment_valuation],
+      cannot [:admin_update, :valuate, :comment_valuation],
             Budget::Investment, budget: { phase: "finished" }
+      can :toggle_selection, Budget::Investment do |investment|
+        investment.feasible? && investment.valuation_finished? && !investment.budget.finished?
+      end

      can :create, Budget::ValuatorAssignment

--- a/spec/controllers/admin/budget_investments_controller_spec.rb
+++ b/spec/controllers/admin/budget_investments_controller_spec.rb
@@ -37,4 +37,19 @@ describe Admin::BudgetInvestmentsController, :admin do
      expect(response).not_to be_redirect
    end
  end
+
+  describe "PATCH toggle selection" do
+    it "uses the toggle_selection authorization rules" do
+      investment = create(:budget_investment)
+
+      patch :toggle_selection, xhr: true, params: {
+        id: investment,
+        budget_id: investment.budget,
+      }
+
+      expect(flash[:alert]).to eq "You do not have permission to carry out the action " \
+                                  "'toggle_selection' on Investment."
+      expect(investment).not_to be_selected
+    end
+  end
 end
--- a/spec/models/abilities/administrator_spec.rb
+++ b/spec/models/abilities/administrator_spec.rb
@@ -115,6 +115,10 @@ describe Abilities::Administrator do
  it { should_not be_able_to(:admin_update, finished_investment) }
  it { should_not be_able_to(:valuate, finished_investment) }
  it { should_not be_able_to(:comment_valuation, finished_investment) }
+
+  it { should be_able_to(:toggle_selection, create(:budget_investment, :feasible, :finished)) }
+  it { should_not be_able_to(:toggle_selection, create(:budget_investment, :feasible, :open)) }
+  it { should_not be_able_to(:toggle_selection, create(:budget_investment, :unfeasible, :finished)) }
  it { should_not be_able_to(:toggle_selection, finished_investment) }

  it { should be_able_to(:destroy, proposal_image) }