From decf0f2683357c9221e230796934bc65c4addafd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juanjo=20Baz=C3=A1n?= Date: Mon, 14 Mar 2016 14:35:57 +0100 Subject: [PATCH 1/2] changes admin/valuator permissions not allowed to create/destroy spending proposals anymore --- app/models/abilities/administrator.rb | 2 +- app/models/abilities/valuator.rb | 2 +- spec/models/abilities/administrator_spec.rb | 4 +++- spec/models/abilities/valuator_spec.rb | 4 +++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/app/models/abilities/administrator.rb b/app/models/abilities/administrator.rb index 49184c447..78cb60806 100644 --- a/app/models/abilities/administrator.rb +++ b/app/models/abilities/administrator.rb @@ -37,7 +37,7 @@ module Abilities can :manage, Annotation - can :manage, SpendingProposal + can [:read, :update], SpendingProposal end end end diff --git a/app/models/abilities/valuator.rb b/app/models/abilities/valuator.rb index edb542e4b..15add866a 100644 --- a/app/models/abilities/valuator.rb +++ b/app/models/abilities/valuator.rb @@ -3,7 +3,7 @@ module Abilities include CanCan::Ability def initialize(user) - can :manage, SpendingProposal + can [:read, :update, :valuate], SpendingProposal end end end \ No newline at end of file diff --git a/spec/models/abilities/administrator_spec.rb b/spec/models/abilities/administrator_spec.rb index 8df88a46f..b5ee78dd0 100644 --- a/spec/models/abilities/administrator_spec.rb +++ b/spec/models/abilities/administrator_spec.rb @@ -52,5 +52,7 @@ describe "Abilities::Administrator" do it { should be_able_to(:manage, Annotation) } - it { should be_able_to(:manage, SpendingProposal) } + it { should be_able_to(:read, SpendingProposal) } + it { should be_able_to(:update, SpendingProposal) } + it { should be_able_to(:valuate, SpendingProposal) } end diff --git a/spec/models/abilities/valuator_spec.rb b/spec/models/abilities/valuator_spec.rb index d9542220d..ce108200c 100644 --- a/spec/models/abilities/valuator_spec.rb +++ b/spec/models/abilities/valuator_spec.rb @@ -6,5 +6,7 @@ describe "Abilities::Valuator" do let(:user) { valuator.user } let(:valuator) { create(:valuator) } - it { should be_able_to(:manage, SpendingProposal) } + it { should be_able_to(:read, SpendingProposal) } + it { should be_able_to(:update, SpendingProposal) } + it { should be_able_to(:valuate, SpendingProposal) } end From b660702787e64aebe246f99d65b20dcd72148543 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juanjo=20Baz=C3=A1n?= Date: Mon, 14 Mar 2016 14:36:13 +0100 Subject: [PATCH 2/2] specifies permission the right way --- app/views/users/_spending_proposals.html.erb | 2 +- spec/features/users_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/users/_spending_proposals.html.erb b/app/views/users/_spending_proposals.html.erb index 491f5c831..04bfa7867 100644 --- a/app/views/users/_spending_proposals.html.erb +++ b/app/views/users/_spending_proposals.html.erb @@ -4,7 +4,7 @@ <%= link_to spending_proposal.title, spending_proposal %> - <% if current_user && current_user.id == spending_proposal.author_id %> + <% if can?(:destroy, spending_proposal) %> <%= link_to t("users.show.delete_spending_proposal"), spending_proposal, method: :delete, diff --git a/spec/features/users_spec.rb b/spec/features/users_spec.rb index fdb092856..eff63b18b 100644 --- a/spec/features/users_spec.rb +++ b/spec/features/users_spec.rb @@ -202,7 +202,7 @@ feature 'Users' do feature 'Spending proposals' do background do - @author = create(:user) + @author = create(:user, :level_two) @spending_proposal = create(:spending_proposal, author: @author, title: 'Build a school') end