We were adding the condition to show the form in the view. However, that
doesn't prevent users from sending a POST/PUT request to the controller
action.
We could add the condition to the controller as well, but since the
`valuate` permission is only used in one place, it's easier to restrict
that permission to valuators who can edit the dossier.
There were some confusing definitions regarding the valuation of budget
investments.
In the controller, `CommentableActions` was included, which includes the
update action.
In the abilities, a valuator was given permission to update an
investment.
However, the action to update an investment didn't work because there is
no route defined to do so.
The ability was defined so valuators could access the "edit" action,
which will not call the "update" action but the "valuate" action. Since
internally "edit" and "update" use the same permission, it worked.
But then we added permission for regular users to update budget
investments, and these permissions were allowing valuators to update
another user's investment.
After this change, everything seems to work properly since we check
authorization in the controller itself instead of using abilities.
Why:
Only admins or valuators (for those investments they've assigned) can
create internal valuation comments on them.
How:
* Creating a new `comment_valuation` ability for admins and valuators in
the same manner the `valuate` ability works.
* Adding a validation at Comment model for those with `valuation` flag
active that checks if the author can make a valuation comment on the
commentable, as well as the respective active record error messages.
This will prevent comments from being created at a controller level as
well.
* Improving comment factory trait `valuation` to have an associated
investment, author that is a valuator and setting the valuator on the
valuators list of the investment
