adds permissions with cancan for new, create and show
This commit is contained in:
rgarcia
@@ -1,14 +1,15 @@
|
|||||||
class ProposalNotificationsController < ApplicationController
|
class ProposalNotificationsController < ApplicationController
|
||||||
skip_authorization_check
|
load_and_authorize_resource except: [:new]
|
||||||
|
|
||||||
def new
|
def new
|
||||||
@notification = ProposalNotification.new
|
|
||||||
@proposal = Proposal.find(params[:proposal_id])
|
@proposal = Proposal.find(params[:proposal_id])
|
||||||
|
@notification = ProposalNotification.new(proposal_id: @proposal.id)
|
||||||
|
authorize! :new, @notification
|
||||||
end
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
@notification = ProposalNotification.new(notification_params)
|
@notification = ProposalNotification.new(proposal_notification_params)
|
||||||
@proposal = Proposal.find(notification_params[:proposal_id])
|
@proposal = Proposal.find(proposal_notification_params[:proposal_id])
|
||||||
if @notification.save
|
if @notification.save
|
||||||
@proposal.voters.each do |voter|
|
@proposal.voters.each do |voter|
|
||||||
Notification.add(voter.id, @notification)
|
Notification.add(voter.id, @notification)
|
||||||
@@ -28,7 +29,7 @@ class ProposalNotificationsController < ApplicationController
|
|||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def notification_params
|
def proposal_notification_params
|
||||||
params.require(:proposal_notification).permit(:title, :body, :proposal_id)
|
params.require(:proposal_notification).permit(:title, :body, :proposal_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|||||||
@@ -48,9 +48,12 @@ module Abilities
|
|||||||
can :create, SpendingProposal
|
can :create, SpendingProposal
|
||||||
end
|
end
|
||||||
|
|
||||||
|
can [:new, :create, :show], ProposalNotification do |notification|
|
||||||
|
notification.proposal.author_id == user.id
|
||||||
|
end
|
||||||
|
|
||||||
can :create, Annotation
|
can :create, Annotation
|
||||||
can [:update, :destroy], Annotation, user_id: user.id
|
can [:update, :destroy], Annotation, user_id: user.id
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -73,10 +73,25 @@ feature 'Proposal Notifications' do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
scenario "Accessing form directly" do
|
||||||
|
user = create(:user)
|
||||||
|
author = create(:user)
|
||||||
|
proposal = create(:proposal, author: author)
|
||||||
|
|
||||||
|
login_as(user)
|
||||||
|
visit new_proposal_notification_path(proposal_id: proposal.id)
|
||||||
|
|
||||||
|
expect(current_path).to eq(proposals_path)
|
||||||
|
expect(page).to have_content("You do not have permission to carry out the action")
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
scenario "Error messages" do
|
scenario "Error messages" do
|
||||||
proposal = create(:proposal)
|
author = create(:user)
|
||||||
|
proposal = create(:proposal, author: author)
|
||||||
|
|
||||||
|
login_as(author)
|
||||||
|
|
||||||
visit new_proposal_notification_path(proposal_id: proposal.id)
|
visit new_proposal_notification_path(proposal_id: proposal.id)
|
||||||
click_button "Send message"
|
click_button "Send message"
|
||||||
|
|||||||
Reference in New Issue
Block a user