consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f5b60e03e122be0171b3c67ab7694bb4ff1a879f
nairobi/spec/models/abilities/valuator_spec.rb
Javi Martín f5b60e03e1 Don't let valuators update investments 
There were some confusing definitions regarding the valuation of budget
investments.

In the controller, `CommentableActions` was included, which includes the
update action.

In the abilities, a valuator was given permission to update an
investment.

However, the action to update an investment didn't work because there is
no route defined to do so.

The ability was defined so valuators could access the "edit" action,
which will not call the "update" action but the "valuate" action. Since
internally "edit" and "update" use the same permission, it worked.

But then we added permission for regular users to update budget
investments, and these permissions were allowing valuators to update
another user's investment.

After this change, everything seems to work properly since we check
authorization in the controller itself instead of using abilities.
2019-10-18 16:24:27 +02:00

43 lines
1.8 KiB
Ruby
Raw Blame History

require "rails_helper"
require "cancan/matchers"
describe Abilities::Valuator do
subject(:ability) { Ability.new(user) }
let(:user) { valuator.user }
let(:group) { create(:valuator_group) }
let(:valuator) { create(:valuator, valuator_group: group) }
let(:non_assigned_investment) { create(:budget_investment) }
let(:assigned_investment) { create(:budget_investment, budget: create(:budget, :valuating), valuators: [valuator]) }
let(:group_assigned_investment) { create(:budget_investment, budget: create(:budget, :valuating), valuator_groups: [group]) }
let(:finished_assigned_investment) { create(:budget_investment, budget: create(:budget, :finished), valuators: [valuator]) }
it "cannot valuate an assigned investment with a finished valuation" do
assigned_investment.update(valuation_finished: true)
should_not be_able_to(:valuate, assigned_investment)
end
it { should_not be_able_to(:update, assigned_investment) }
it { should be_able_to(:valuate, assigned_investment) }
it { should be_able_to(:valuate, group_assigned_investment) }
it { should_not be_able_to(:valuate, non_assigned_investment) }
it { should_not be_able_to(:valuate, finished_assigned_investment) }
it "can update dossier information if not set can_edit_dossier attribute" do
should be_able_to(:edit_dossier, assigned_investment)
allow(valuator).to receive(:can_edit_dossier?).and_return(false)
ability = Ability.new(user)
expect(ability.can?(:edit_dossier, assigned_investment)).to be_falsey
end
it "cannot create valuation comments if not set not can_comment attribute" do
should be_able_to(:comment_valuation, assigned_investment)
allow(valuator).to receive(:can_comment?).and_return(false)
ability = Ability.new(user)
expect(ability.can?(:comment_valuation, assigned_investment)).to be_falsey
end
end
Reference in New Issue View Git Blame Copy Permalink