Don't allow valuation if cannot edit dossier

We were adding the condition to show the form in the view. However, that doesn't prevent users from sending a POST/PUT request to the controller action. We could add the condition to the controller as well, but since the `valuate` permission is only used in one place, it's easier to restrict that permission to valuators who can edit the dossier.
2019-11-05 17:26:02 +01:00
parent 6db0272575
commit d1d71f0044
4 changed files with 5 additions and 11 deletions
--- a/app/models/abilities/administrator.rb
+++ b/app/models/abilities/administrator.rb
@@ -66,7 +66,6 @@ module Abilities
      can [:valuate, :comment_valuation], Budget::Investment
      cannot [:comment_valuation], Budget::Investment, budget: { phase: "finished" }
      can :create, Budget::ValuatorAssignment
-      can [:edit_dossier], Budget::Investment

      can :read_admin_stats, Budget, &:balloting_or_later?

--- a/app/models/abilities/valuator.rb
+++ b/app/models/abilities/valuator.rb
@@ -7,17 +7,16 @@ module Abilities
      assigned_investment_ids = valuator.assigned_investment_ids

      can [:read], Budget::Investment, id: assigned_investment_ids
-      can [:valuate], Budget::Investment, { id: assigned_investment_ids, valuation_finished: false }

      if valuator.can_edit_dossier?
-        can [:edit_dossier], Budget::Investment, id: assigned_investment_ids
+        can [:valuate], Budget::Investment, { id: assigned_investment_ids, valuation_finished: false }
      end

      if valuator.can_comment?
        can [:comment_valuation], Budget::Investment, id: assigned_investment_ids
      end

-      cannot [:valuate, :edit_dossier, :comment_valuation], Budget::Investment, budget: { phase: "finished" }
+      cannot [:valuate, :comment_valuation], Budget::Investment, budget: { phase: "finished" }
    end
  end
 end
--- a/app/views/valuation/budget_investments/edit.html.erb
+++ b/app/views/valuation/budget_investments/edit.html.erb
@@ -4,7 +4,7 @@
 <% end %>

 <h2><%= t("valuation.budget_investments.edit.dossier") %></h2>
-<% if can?(:valuate, @investment) && can?(:edit_dossier, @investment) %>
+<% if can?(:valuate, @investment) %>
  <%= render "/valuation/budget_investments/dossier_form", investment: @investment %>
 <% else %>
  <%= render "/valuation/budget_investments/dossier_detail", investment: @investment %>
--- a/spec/models/abilities/valuator_spec.rb
+++ b/spec/models/abilities/valuator_spec.rb
@@ -22,20 +22,16 @@ describe Abilities::Valuator do

  it { should be_able_to(:valuate, assigned_investment) }
  it { should be_able_to(:valuate, group_assigned_investment) }
+  it { should be_able_to(:comment_valuation, assigned_investment) }

  it { should_not be_able_to(:valuate, non_assigned_investment) }
  it { should_not be_able_to(:valuate, finished_assigned_investment) }
-
-  it { should be_able_to(:edit_dossier, assigned_investment) }
-  it { should be_able_to(:comment_valuation, assigned_investment) }
-
-  it { should_not be_able_to(:edit_dossier, finished_assigned_investment) }
  it { should_not be_able_to(:comment_valuation, finished_assigned_investment) }

  context "cannot edit dossier" do
    before { valuator.can_edit_dossier = false }

-    it { should_not be_able_to(:edit_dossier, assigned_investment) }
+    it { should_not be_able_to(:valuate, assigned_investment) }
  end

  context "cannot comment" do