consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
9937e94fcd34be74fe09bb549968def5cb0fda95
grecia/spec/models/abilities/valuator_spec.rb
Javi Martín d1d71f0044 Don't allow valuation if cannot edit dossier 
We were adding the condition to show the form in the view. However, that
doesn't prevent users from sending a POST/PUT request to the controller
action.

We could add the condition to the controller as well, but since the
`valuate` permission is only used in one place, it's easier to restrict
that permission to valuators who can edit the dossier.
2019-11-05 23:15:16 +01:00

43 lines
1.7 KiB
Ruby
Raw Blame History

require "rails_helper"
require "cancan/matchers"
describe Abilities::Valuator do
subject(:ability) { Ability.new(user) }
let(:user) { valuator.user }
let(:group) { create(:valuator_group) }
let(:valuator) { create(:valuator, valuator_group: group, can_edit_dossier: true, can_comment: true) }
let(:non_assigned_investment) { create(:budget_investment) }
let(:assigned_investment) { create(:budget_investment, budget: create(:budget, :valuating), valuators: [valuator]) }
let(:group_assigned_investment) { create(:budget_investment, budget: create(:budget, :valuating), valuator_groups: [group]) }
let(:finished_assigned_investment) { create(:budget_investment, budget: create(:budget, :finished), valuators: [valuator]) }
it "cannot valuate an assigned investment with a finished valuation" do
assigned_investment.update!(valuation_finished: true)
should_not be_able_to(:valuate, assigned_investment)
end
it { should_not be_able_to(:update, assigned_investment) }
it { should be_able_to(:valuate, assigned_investment) }
it { should be_able_to(:valuate, group_assigned_investment) }
it { should be_able_to(:comment_valuation, assigned_investment) }
it { should_not be_able_to(:valuate, non_assigned_investment) }
it { should_not be_able_to(:valuate, finished_assigned_investment) }
it { should_not be_able_to(:comment_valuation, finished_assigned_investment) }
context "cannot edit dossier" do
before { valuator.can_edit_dossier = false }
it { should_not be_able_to(:valuate, assigned_investment) }
end
context "cannot comment" do
before { valuator.can_comment = false }
it { should_not be_able_to(:comment_valuation, assigned_investment) }
end
end
Reference in New Issue View Git Blame Copy Permalink