Fix admin permissions for finished budgets

Although we weren't showing links in the views to execute certain
actions, forms could be still sent using a PUT/PATCH pull request to the
controller actions.

app/views/valuation/budget_investments/show.html.erb

@@ -3,15 +3,17 @@
 <br>
 
 <h2 class="inline-block"><%= t("admin.budget_investments.show.preview") %></h2>
-<div class="float-right">
-  <%= link_to t("admin.budget_investments.show.edit"),
-              edit_valuation_budget_budget_investment_path(
-                @budget,
-                @investment,
-                Budget::Investment.filter_params(params)
-              ),
-              class: "button hollow" unless @budget.finished? %>
-</div>
+<% if can?(:valuate, @investment) %>
+  <div class="float-right">
+    <%= link_to t("admin.budget_investments.show.edit"),
+                edit_valuation_budget_budget_investment_path(
+                  @budget,
+                  @investment,
+                  Budget::Investment.filter_params(params)
+                ),
+                class: "button hollow" %>
+  </div>
+<% end %>
 
 <hr>
 <%= render "/budgets/investments/investment_detail", investment: @investment, preview: true %>