consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't allow valuation if cannot edit dossier

Browse Source 
We were adding the condition to show the form in the view. However, that
doesn't prevent users from sending a POST/PUT request to the controller
action.

We could add the condition to the controller as well, but since the
`valuate` permission is only used in one place, it's easier to restrict
that permission to valuators who can edit the dossier.
This commit is contained in:
Javi Martín
2019-11-05 17:26:02 +01:00
parent 6db0272575
commit d1d71f0044
4 changed files with 5 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
spec/models/abilities/valuator_spec.rb
View File

@@ -22,20 +22,16 @@ describe Abilities::Valuator do
it { should be_able_to(:valuate, assigned_investment) }
it { should be_able_to(:valuate, group_assigned_investment) }
it { should be_able_to(:comment_valuation, assigned_investment) }
it { should_not be_able_to(:valuate, non_assigned_investment) }
it { should_not be_able_to(:valuate, finished_assigned_investment) }
it { should be_able_to(:edit_dossier, assigned_investment) }
it { should be_able_to(:comment_valuation, assigned_investment) }
it { should_not be_able_to(:edit_dossier, finished_assigned_investment) }
it { should_not be_able_to(:comment_valuation, finished_assigned_investment) }
context "cannot edit dossier" do
before { valuator.can_edit_dossier = false }
it { should_not be_able_to(:edit_dossier, assigned_investment) }
it { should_not be_able_to(:valuate, assigned_investment) }
end
context "cannot comment" do