From 18022020338428446d29da9db4e1e654e565d34a Mon Sep 17 00:00:00 2001
From: Eduardo Martinez Echevarria <eduardomech@gmail.com>
Date: Sun, 11 Jun 2017 23:29:56 +0200
Subject: [PATCH 1/2] Add test to check that results of unfinished budgets are
 inaccessible

---
 spec/features/budgets/results_spec.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/spec/features/budgets/results_spec.rb b/spec/features/budgets/results_spec.rb
index 961dd287e..d2a32f992 100644
--- a/spec/features/budgets/results_spec.rb
+++ b/spec/features/budgets/results_spec.rb
@@ -45,4 +45,13 @@ feature 'Results' do
     end
   end
 
-end
\ No newline at end of file
+  scenario "If budget is in a phase different from finished results can't be accessed" do
+    budget.update phase: (Budget::PHASES - ["finished"]).sample
+    visit budget_path(budget)
+    expect(page).not_to have_link "See results"
+
+    visit budget_results_path(budget, heading_id: budget.headings.first)
+    expect(page).to have_content "You do not have permission to carry out the action"
+  end
+
+end

From 2380b97bd087585921e774c547ee83626c50d2df Mon Sep 17 00:00:00 2001
From: Eduardo Martinez Echevarria <eduardomech@gmail.com>
Date: Sun, 11 Jun 2017 23:33:05 +0200
Subject: [PATCH 2/2] Make budgets result show action available only when
 budget is finished

---
 app/controllers/budgets/results_controller.rb | 1 +
 app/models/abilities/everyone.rb              | 1 +
 2 files changed, 2 insertions(+)

diff --git a/app/controllers/budgets/results_controller.rb b/app/controllers/budgets/results_controller.rb
index aa94eb68b..d92232f67 100644
--- a/app/controllers/budgets/results_controller.rb
+++ b/app/controllers/budgets/results_controller.rb
@@ -4,6 +4,7 @@ module Budgets
     load_and_authorize_resource :budget
 
     def show
+      authorize! :read_results, @budget
       @result = load_result
     end
 
diff --git a/app/models/abilities/everyone.rb b/app/models/abilities/everyone.rb
index 30d295986..c22a3f7e4 100644
--- a/app/models/abilities/everyone.rb
+++ b/app/models/abilities/everyone.rb
@@ -17,6 +17,7 @@ module Abilities
       can [:read], Budget
       can [:read], Budget::Group
       can [:read, :print], Budget::Investment
+      can :read_results, Budget, phase: "finished"
       can :new, DirectMessage
       can [:read, :debate, :draft_publication, :allegations, :final_version_publication], Legislation::Process
       can [:read, :changes, :go_to_version], Legislation::DraftVersion