From d1d71f0044c4842e04f7d3eca409611d5092a00b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Tue, 5 Nov 2019 17:26:02 +0100 Subject: [PATCH] Don't allow valuation if cannot edit dossier We were adding the condition to show the form in the view. However, that doesn't prevent users from sending a POST/PUT request to the controller action. We could add the condition to the controller as well, but since the `valuate` permission is only used in one place, it's easier to restrict that permission to valuators who can edit the dossier. --- app/models/abilities/administrator.rb | 1 - app/models/abilities/valuator.rb | 5 ++--- app/views/valuation/budget_investments/edit.html.erb | 2 +- spec/models/abilities/valuator_spec.rb | 8 ++------ 4 files changed, 5 insertions(+), 11 deletions(-) diff --git a/app/models/abilities/administrator.rb b/app/models/abilities/administrator.rb index 81f60b25e..c05dcec86 100644 --- a/app/models/abilities/administrator.rb +++ b/app/models/abilities/administrator.rb @@ -66,7 +66,6 @@ module Abilities can [:valuate, :comment_valuation], Budget::Investment cannot [:comment_valuation], Budget::Investment, budget: { phase: "finished" } can :create, Budget::ValuatorAssignment - can [:edit_dossier], Budget::Investment can :read_admin_stats, Budget, &:balloting_or_later? diff --git a/app/models/abilities/valuator.rb b/app/models/abilities/valuator.rb index 6615df71a..8297513ea 100644 --- a/app/models/abilities/valuator.rb +++ b/app/models/abilities/valuator.rb @@ -7,17 +7,16 @@ module Abilities assigned_investment_ids = valuator.assigned_investment_ids can [:read], Budget::Investment, id: assigned_investment_ids - can [:valuate], Budget::Investment, { id: assigned_investment_ids, valuation_finished: false } if valuator.can_edit_dossier? - can [:edit_dossier], Budget::Investment, id: assigned_investment_ids + can [:valuate], Budget::Investment, { id: assigned_investment_ids, valuation_finished: false } end if valuator.can_comment? can [:comment_valuation], Budget::Investment, id: assigned_investment_ids end - cannot [:valuate, :edit_dossier, :comment_valuation], Budget::Investment, budget: { phase: "finished" } + cannot [:valuate, :comment_valuation], Budget::Investment, budget: { phase: "finished" } end end end diff --git a/app/views/valuation/budget_investments/edit.html.erb b/app/views/valuation/budget_investments/edit.html.erb index 9ecf15796..f3543451b 100644 --- a/app/views/valuation/budget_investments/edit.html.erb +++ b/app/views/valuation/budget_investments/edit.html.erb @@ -4,7 +4,7 @@ <% end %>

<%= t("valuation.budget_investments.edit.dossier") %>

-<% if can?(:valuate, @investment) && can?(:edit_dossier, @investment) %> +<% if can?(:valuate, @investment) %> <%= render "/valuation/budget_investments/dossier_form", investment: @investment %> <% else %> <%= render "/valuation/budget_investments/dossier_detail", investment: @investment %> diff --git a/spec/models/abilities/valuator_spec.rb b/spec/models/abilities/valuator_spec.rb index a4a337143..762d57513 100644 --- a/spec/models/abilities/valuator_spec.rb +++ b/spec/models/abilities/valuator_spec.rb @@ -22,20 +22,16 @@ describe Abilities::Valuator do it { should be_able_to(:valuate, assigned_investment) } it { should be_able_to(:valuate, group_assigned_investment) } + it { should be_able_to(:comment_valuation, assigned_investment) } it { should_not be_able_to(:valuate, non_assigned_investment) } it { should_not be_able_to(:valuate, finished_assigned_investment) } - - it { should be_able_to(:edit_dossier, assigned_investment) } - it { should be_able_to(:comment_valuation, assigned_investment) } - - it { should_not be_able_to(:edit_dossier, finished_assigned_investment) } it { should_not be_able_to(:comment_valuation, finished_assigned_investment) } context "cannot edit dossier" do before { valuator.can_edit_dossier = false } - it { should_not be_able_to(:edit_dossier, assigned_investment) } + it { should_not be_able_to(:valuate, assigned_investment) } end context "cannot comment" do