consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't let valuators update investments

Browse Source 
There were some confusing definitions regarding the valuation of budget
investments.

In the controller, `CommentableActions` was included, which includes the
update action.

In the abilities, a valuator was given permission to update an
investment.

However, the action to update an investment didn't work because there is
no route defined to do so.

The ability was defined so valuators could access the "edit" action,
which will not call the "update" action but the "valuate" action. Since
internally "edit" and "update" use the same permission, it worked.

But then we added permission for regular users to update budget
investments, and these permissions were allowing valuators to update
another user's investment.

After this change, everything seems to work properly since we check
authorization in the controller itself instead of using abilities.
This commit is contained in:
Javi Martín
2019-10-18 16:24:09 +02:00
parent bb627a7117
commit f5b60e03e1
2 changed files with 4 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/models/abilities/valuator.rb
View File

@@ -7,9 +7,9 @@ module Abilities
assigned_investment_ids = valuator.assigned_investment_ids assigned_investment_ids = valuator.assigned_investment_ids
finished = { phase: "finished" } finished = { phase: "finished" }
can [:read, :update], Budget::Investment, id: assigned_investment_ids can [:read], Budget::Investment, id: assigned_investment_ids
can [:valuate], Budget::Investment, { id: assigned_investment_ids, valuation_finished: false } can [:valuate], Budget::Investment, { id: assigned_investment_ids, valuation_finished: false }
cannot [:update, :valuate, :comment_valuation], Budget::Investment, budget: finished cannot [:valuate, :comment_valuation], Budget::Investment, budget: finished
if valuator.can_edit_dossier? if valuator.can_edit_dossier?
can [:edit_dossier], Budget::Investment, id: assigned_investment_ids can [:edit_dossier], Budget::Investment, id: assigned_investment_ids

8
spec/models/abilities/valuator_spec.rb
View File

@@ -18,16 +18,12 @@ describe Abilities::Valuator do
should_not be_able_to(:valuate, assigned_investment) should_not be_able_to(:valuate, assigned_investment)
end end
it { should_not be_able_to(:update, non_assigned_investment) } it { should_not be_able_to(:update, assigned_investment) }
it { should_not be_able_to(:valuate, non_assigned_investment) }
it { should be_able_to(:update, assigned_investment) }
it { should be_able_to(:valuate, assigned_investment) } it { should be_able_to(:valuate, assigned_investment) }
it { should be_able_to(:update, group_assigned_investment) }
it { should be_able_to(:valuate, group_assigned_investment) } it { should be_able_to(:valuate, group_assigned_investment) }
it { should_not be_able_to(:update, finished_assigned_investment) } it { should_not be_able_to(:valuate, non_assigned_investment) }
it { should_not be_able_to(:valuate, finished_assigned_investment) } it { should_not be_able_to(:valuate, finished_assigned_investment) }
it "can update dossier information if not set can_edit_dossier attribute" do it "can update dossier information if not set can_edit_dossier attribute" do