From 0e86cd89d65bfb3a7d9cb2fb15699c85cd9ff38c Mon Sep 17 00:00:00 2001
From: rgarcia <voodoorai2000@gmail.com>
Date: Wed, 8 Jun 2016 13:46:17 +0200
Subject: [PATCH] adds permissions with cancan for new, create and show

---
 .../proposal_notifications_controller.rb        | 11 ++++++-----
 app/models/abilities/common.rb                  |  5 ++++-
 spec/features/proposal_notifications_spec.rb    | 17 ++++++++++++++++-
 3 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/app/controllers/proposal_notifications_controller.rb b/app/controllers/proposal_notifications_controller.rb
index adfa0fc21..1fcd9322a 100644
--- a/app/controllers/proposal_notifications_controller.rb
+++ b/app/controllers/proposal_notifications_controller.rb
@@ -1,14 +1,15 @@
 class ProposalNotificationsController < ApplicationController
-  skip_authorization_check
+  load_and_authorize_resource except: [:new]
 
   def new
-    @notification = ProposalNotification.new
     @proposal = Proposal.find(params[:proposal_id])
+    @notification = ProposalNotification.new(proposal_id: @proposal.id)
+    authorize! :new, @notification
   end
 
   def create
-    @notification = ProposalNotification.new(notification_params)
-    @proposal = Proposal.find(notification_params[:proposal_id])
+    @notification = ProposalNotification.new(proposal_notification_params)
+    @proposal = Proposal.find(proposal_notification_params[:proposal_id])
     if @notification.save
       @proposal.voters.each do |voter|
         Notification.add(voter.id, @notification)
@@ -28,7 +29,7 @@ class ProposalNotificationsController < ApplicationController
 
   private
 
-  def notification_params
+  def proposal_notification_params
     params.require(:proposal_notification).permit(:title, :body, :proposal_id)
   end
 
diff --git a/app/models/abilities/common.rb b/app/models/abilities/common.rb
index 6dd36d5b0..2c08fc63c 100644
--- a/app/models/abilities/common.rb
+++ b/app/models/abilities/common.rb
@@ -48,9 +48,12 @@ module Abilities
         can :create, SpendingProposal
       end
 
+      can [:new, :create, :show], ProposalNotification do |notification|
+        notification.proposal.author_id == user.id
+      end
+
       can :create, Annotation
       can [:update, :destroy], Annotation, user_id: user.id
-
     end
   end
 end
diff --git a/spec/features/proposal_notifications_spec.rb b/spec/features/proposal_notifications_spec.rb
index b0721f874..be8b146fd 100644
--- a/spec/features/proposal_notifications_spec.rb
+++ b/spec/features/proposal_notifications_spec.rb
@@ -73,10 +73,25 @@ feature 'Proposal Notifications' do
       end
     end
 
+    scenario "Accessing form directly" do
+      user = create(:user)
+      author = create(:user)
+      proposal = create(:proposal, author: author)
+
+      login_as(user)
+      visit new_proposal_notification_path(proposal_id: proposal.id)
+
+      expect(current_path).to eq(proposals_path)
+      expect(page).to have_content("You do not have permission to carry out the action")
+    end
+
   end
 
   scenario "Error messages" do
-    proposal = create(:proposal)
+    author = create(:user)
+    proposal = create(:proposal, author: author)
+
+    login_as(author)
 
     visit new_proposal_notification_path(proposal_id: proposal.id)
     click_button "Send message"