adds permissions with cancan for new, create and show

2016-06-08 13:46:17 +02:00
parent 21c2220626
commit 0e86cd89d6
3 changed files with 26 additions and 7 deletions
--- a/app/controllers/proposal_notifications_controller.rb
+++ b/app/controllers/proposal_notifications_controller.rb
@@ -1,14 +1,15 @@
 class ProposalNotificationsController < ApplicationController
-  skip_authorization_check
+  load_and_authorize_resource except: [:new]

  def new
-    @notification = ProposalNotification.new
    @proposal = Proposal.find(params[:proposal_id])
+    @notification = ProposalNotification.new(proposal_id: @proposal.id)
+    authorize! :new, @notification
  end

  def create
-    @notification = ProposalNotification.new(notification_params)
-    @proposal = Proposal.find(notification_params[:proposal_id])
+    @notification = ProposalNotification.new(proposal_notification_params)
+    @proposal = Proposal.find(proposal_notification_params[:proposal_id])
    if @notification.save
      @proposal.voters.each do |voter|
        Notification.add(voter.id, @notification)
@@ -28,7 +29,7 @@ class ProposalNotificationsController < ApplicationController

  private

-  def notification_params
+  def proposal_notification_params
    params.require(:proposal_notification).permit(:title, :body, :proposal_id)
  end

--- a/app/models/abilities/common.rb
+++ b/app/models/abilities/common.rb
@@ -48,9 +48,12 @@ module Abilities
        can :create, SpendingProposal
      end

+      can [:new, :create, :show], ProposalNotification do |notification|
+        notification.proposal.author_id == user.id
+      end
+
      can :create, Annotation
      can [:update, :destroy], Annotation, user_id: user.id
-
    end
  end
 end
--- a/spec/features/proposal_notifications_spec.rb
+++ b/spec/features/proposal_notifications_spec.rb
@@ -73,10 +73,25 @@ feature 'Proposal Notifications' do
      end
    end

+    scenario "Accessing form directly" do
+      user = create(:user)
+      author = create(:user)
+      proposal = create(:proposal, author: author)
+
+      login_as(user)
+      visit new_proposal_notification_path(proposal_id: proposal.id)
+
+      expect(current_path).to eq(proposals_path)
+      expect(page).to have_content("You do not have permission to carry out the action")
+    end
+
  end

  scenario "Error messages" do
-    proposal = create(:proposal)
+    author = create(:user)
+    proposal = create(:proposal, author: author)
+
+    login_as(author)

    visit new_proposal_notification_path(proposal_id: proposal.id)
    click_button "Send message"