consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't allow valuation if cannot edit dossier

Browse Source 
We were adding the condition to show the form in the view. However, that
doesn't prevent users from sending a POST/PUT request to the controller
action.

We could add the condition to the controller as well, but since the
`valuate` permission is only used in one place, it's easier to restrict
that permission to valuators who can edit the dossier.
This commit is contained in:
Javi Martín
2019-11-05 17:26:02 +01:00
parent 6db0272575
commit d1d71f0044
4 changed files with 5 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/models/abilities/administrator.rb
View File

@@ -66,7 +66,6 @@ module Abilities
can [:valuate, :comment_valuation], Budget::Investment can [:valuate, :comment_valuation], Budget::Investment
cannot [:comment_valuation], Budget::Investment, budget: { phase: "finished" } cannot [:comment_valuation], Budget::Investment, budget: { phase: "finished" }
can :create, Budget::ValuatorAssignment can :create, Budget::ValuatorAssignment
can [:edit_dossier], Budget::Investment
can :read_admin_stats, Budget, &:balloting_or_later? can :read_admin_stats, Budget, &:balloting_or_later?

5
app/models/abilities/valuator.rb
View File

@@ -7,17 +7,16 @@ module Abilities
assigned_investment_ids = valuator.assigned_investment_ids assigned_investment_ids = valuator.assigned_investment_ids
can [:read], Budget::Investment, id: assigned_investment_ids can [:read], Budget::Investment, id: assigned_investment_ids
can [:valuate], Budget::Investment, { id: assigned_investment_ids, valuation_finished: false }
if valuator.can_edit_dossier? if valuator.can_edit_dossier?
can [:edit_dossier], Budget::Investment, id: assigned_investment_ids can [:valuate], Budget::Investment, { id: assigned_investment_ids, valuation_finished: false }
end end
if valuator.can_comment? if valuator.can_comment?
can [:comment_valuation], Budget::Investment, id: assigned_investment_ids can [:comment_valuation], Budget::Investment, id: assigned_investment_ids
end end
cannot [:valuate, :edit_dossier, :comment_valuation], Budget::Investment, budget: { phase: "finished" } cannot [:valuate, :comment_valuation], Budget::Investment, budget: { phase: "finished" }
end end
end end
end end

2
app/views/valuation/budget_investments/edit.html.erb
View File

@@ -4,7 +4,7 @@
<% end %> <% end %>
<h2><%= t("valuation.budget_investments.edit.dossier") %></h2> <h2><%= t("valuation.budget_investments.edit.dossier") %></h2>
<% if can?(:valuate, @investment) && can?(:edit_dossier, @investment) %> <% if can?(:valuate, @investment) %>
<%= render "/valuation/budget_investments/dossier_form", investment: @investment %> <%= render "/valuation/budget_investments/dossier_form", investment: @investment %>
<% else %> <% else %>
<%= render "/valuation/budget_investments/dossier_detail", investment: @investment %> <%= render "/valuation/budget_investments/dossier_detail", investment: @investment %>

8
spec/models/abilities/valuator_spec.rb
View File

@@ -22,20 +22,16 @@ describe Abilities::Valuator do
it { should be_able_to(:valuate, assigned_investment) } it { should be_able_to(:valuate, assigned_investment) }
it { should be_able_to(:valuate, group_assigned_investment) } it { should be_able_to(:valuate, group_assigned_investment) }
it { should be_able_to(:comment_valuation, assigned_investment) }
it { should_not be_able_to(:valuate, non_assigned_investment) } it { should_not be_able_to(:valuate, non_assigned_investment) }
it { should_not be_able_to(:valuate, finished_assigned_investment) } it { should_not be_able_to(:valuate, finished_assigned_investment) }
it { should be_able_to(:edit_dossier, assigned_investment) }
it { should be_able_to(:comment_valuation, assigned_investment) }
it { should_not be_able_to(:edit_dossier, finished_assigned_investment) }
it { should_not be_able_to(:comment_valuation, finished_assigned_investment) } it { should_not be_able_to(:comment_valuation, finished_assigned_investment) }
context "cannot edit dossier" do context "cannot edit dossier" do
before { valuator.can_edit_dossier = false } before { valuator.can_edit_dossier = false }
it { should_not be_able_to(:edit_dossier, assigned_investment) } it { should_not be_able_to(:valuate, assigned_investment) }
end end
context "cannot comment" do context "cannot comment" do