From 5980df0b31d3358136fe1b92189189ce4045d61f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Wed, 22 Dec 2021 17:51:19 +0100
Subject: [PATCH 1/2] Remove redundant permissions to edit/create records

The `edit` action is automatically authorized with the rules used for
`:update`, the same way the `new` action is authorized with the rules
used for `:create`.

So we don't need to authorize the edit and new actions.

These changes make it easier for institutions customizing Consul to
notice what they need to change if (for instance) they want users to be
able to edit investments under certain conditions.
---
 app/models/abilities/administrator.rb | 10 +++++-----
 app/models/abilities/common.rb        |  1 -
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/app/models/abilities/administrator.rb b/app/models/abilities/administrator.rb
index e04545147..7d3c698b1 100644
--- a/app/models/abilities/administrator.rb
+++ b/app/models/abilities/administrator.rb
@@ -52,16 +52,16 @@ module Abilities
       can :comment_as_administrator, [Debate, Comment, Proposal, Poll::Question, Budget::Investment,
                                       Legislation::Question, Legislation::Proposal, Legislation::Annotation, Topic]
 
-      can [:search, :create, :index, :destroy, :edit, :update], ::Administrator
+      can [:search, :create, :index, :destroy, :update], ::Administrator
       can [:search, :create, :index, :destroy], ::Moderator
-      can [:search, :show, :edit, :update, :create, :index, :destroy, :summary], ::Valuator
+      can [:search, :show, :update, :create, :index, :destroy, :summary], ::Valuator
       can [:search, :create, :index, :destroy], ::Manager
       can [:create, :read, :destroy], ::SDG::Manager
       can [:search, :index], ::User
 
       can :manage, Dashboard::Action
 
-      can [:index, :read, :new, :create, :update, :destroy], Budget
+      can [:index, :read, :create, :update, :destroy], Budget
       can :publish, Budget, id: Budget.drafting.ids
       can :calculate_winners, Budget, &:reviewing_ballots?
       can :read_results, Budget do |budget|
@@ -79,9 +79,9 @@ module Abilities
 
       can :read_admin_stats, Budget, &:balloting_or_later?
 
-      can [:search, :edit, :update, :create, :index, :destroy], Banner
+      can [:search, :update, :create, :index, :destroy], Banner
 
-      can [:index, :create, :edit, :update, :destroy], Geozone
+      can [:index, :create, :update, :destroy], Geozone
 
       can [:read, :create, :update, :destroy, :add_question, :search_booths, :search_officers, :booth_assignments], Poll
       can [:read, :create, :update, :destroy, :available], Poll::Booth
diff --git a/app/models/abilities/common.rb b/app/models/abilities/common.rb
index 8e341a39d..4d3a6b6ac 100644
--- a/app/models/abilities/common.rb
+++ b/app/models/abilities/common.rb
@@ -95,7 +95,6 @@ module Abilities
         can :create, Legislation::Answer
 
         can :create, Budget::Investment,               budget: { phase: "accepting" }
-        can :edit, Budget::Investment,                 budget: { phase: "accepting" }, author_id: user.id
         can :update, Budget::Investment,               budget: { phase: "accepting" }, author_id: user.id
         can :suggest, Budget::Investment,              budget: { phase: "accepting" }
         can :destroy, Budget::Investment,              budget: { phase: ["accepting", "reviewing"] }, author_id: user.id

From c34fc7f0b871baabf295da4ca2933a4eea9fb908 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Thu, 30 Dec 2021 17:19:49 +0100
Subject: [PATCH 2/2] Remove unneeded lines restricting permissions

In the past, users had permission to edit their own legislation
proposals. However, that changed in commit ebfa3fb01, where we replaced
the `can` method with `cannot`.

An easier way to remove this permission is to simply remove the whole
statement, since by default users don't have permissions to do anything.

We're also adding a test checking users can't edit their own legislation
proposals, since it was missing.
---
 app/models/abilities/common.rb       | 3 ---
 spec/models/abilities/common_spec.rb | 4 ++++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/models/abilities/common.rb b/app/models/abilities/common.rb
index 4d3a6b6ac..ce55d8734 100644
--- a/app/models/abilities/common.rb
+++ b/app/models/abilities/common.rb
@@ -39,9 +39,6 @@ module Abilities
       can [:retire_form, :retire], Proposal, author_id: user.id
 
       can :read, Legislation::Proposal
-      cannot [:edit, :update], Legislation::Proposal do |proposal|
-        proposal.editable_by?(user)
-      end
       can [:retire_form, :retire], Legislation::Proposal, author_id: user.id
 
       can :create, Comment
diff --git a/spec/models/abilities/common_spec.rb b/spec/models/abilities/common_spec.rb
index 8cce034f2..5299d068c 100644
--- a/spec/models/abilities/common_spec.rb
+++ b/spec/models/abilities/common_spec.rb
@@ -14,6 +14,7 @@ describe Abilities::Common do
   let(:own_debate)   { create(:debate,   author: user) }
   let(:own_comment)  { create(:comment,  author: user) }
   let(:own_proposal) { create(:proposal, author: user) }
+  let(:own_legislation_proposal) { create(:legislation_proposal, author: user) }
 
   let(:accepting_budget) { create(:budget, :accepting) }
   let(:reviewing_budget) { create(:budget, :reviewing) }
@@ -167,6 +168,9 @@ describe Abilities::Common do
     it { should_not be_able_to(:destroy, proposal_document)      }
   end
 
+  it { should_not be_able_to(:edit, own_legislation_proposal) }
+  it { should_not be_able_to(:update, own_legislation_proposal) }
+
   describe "proposals dashboard" do
     it { should be_able_to(:dashboard, own_proposal) }
     it { should_not be_able_to(:dashboard, proposal) }