Fix admin permissions for finished budgets

Although we weren't showing links in the views to execute certain actions, forms could be still sent using a PUT/PATCH pull request to the controller actions.
consuldemocracy · javierm · Nov 6, 2019 · Nov 6, 2019 · Nov 6, 2019 · Nov 6, 2019
commit 6bbfb555868249c4c4b1f77c689163e1ffd54da5
diff --git a/app/controllers/admin/budget_investments_controller.rb b/app/controllers/admin/budget_investments_controller.rb
@@ -31,6 +31,7 @@ def show
  end
 
  def edit
+ authorize! :admin_update, @investment
  load_staff
  load_valuator_groups
  load_tags
@@ -52,6 +53,7 @@ def update
  end
 
  def toggle_selection
+ authorize! :toggle_selection, @investment
  @investment.toggle :selected
  @investment.save!
  load_investments

diff --git a/app/models/abilities/administrator.rb b/app/models/abilities/administrator.rb
@@ -64,7 +64,9 @@ def initialize(user)
  can [:read, :create, :update, :destroy], Budget::Heading
  can [:hide, :admin_update, :toggle_selection], Budget::Investment
  can [:valuate, :comment_valuation], Budget::Investment
- cannot [:comment_valuation], Budget::Investment, budget: { phase: "finished" }
+ cannot [:admin_update, :toggle_selection, :valuate, :comment_valuation],
+ Budget::Investment, budget: { phase: "finished" }
+
  can :create, Budget::ValuatorAssignment
 
  can :read_admin_stats, Budget, &:balloting_or_later?

diff --git a/app/views/admin/budget_investments/_select_investment.html.erb b/app/views/admin/budget_investments/_select_investment.html.erb
@@ -61,30 +61,34 @@
 
 <td id="selection" class="small text-center" data-field="selected">
  <% if investment.selected? %>
- <%= link_to_unless investment.budget.finished?,
- t("admin.budget_investments.index.selected"),
- toggle_selection_admin_budget_budget_investment_path(@budget,
- investment,
- filter: params[:filter],
- sort_by: params[:sort_by],
- min_total_supports: params[:min_total_supports],
- max_total_supports: params[:max_total_supports],
- advanced_filters: params[:advanced_filters],
- page: params[:page]),
- method: :patch,
- remote: true,
- class: "button small expanded" %>
+ <%= link_to_if can?(:toggle_selection, investment),
+ t("admin.budget_investments.index.selected"),
+ toggle_selection_admin_budget_budget_investment_path(
+ @budget,
+ investment,
+ filter: params[:filter],
+ sort_by: params[:sort_by],
+ min_total_supports: params[:min_total_supports],
+ max_total_supports: params[:max_total_supports],
+ advanced_filters: params[:advanced_filters],
+ page: params[:page]
+ ),
+ method: :patch,
+ remote: true,
+ class: "button small expanded" %>
  <% elsif investment.feasible? && investment.valuation_finished? %>
- <% unless investment.budget.finished? %>
+ <% if can?(:toggle_selection, investment) %>
  <%= link_to t("admin.budget_investments.index.select"),
- toggle_selection_admin_budget_budget_investment_path(@budget,
- investment,
- filter: params[:filter],
- sort_by: params[:sort_by],
- min_total_supports: params[:min_total_supports],
- max_total_supports: params[:max_total_supports],
- advanced_filters: params[:advanced_filters],
- page: params[:page]),
+ toggle_selection_admin_budget_budget_investment_path(
+ @budget,
+ investment,
+ filter: params[:filter],
+ sort_by: params[:sort_by],
+ min_total_supports: params[:min_total_supports],
+ max_total_supports: params[:max_total_supports],
+ advanced_filters: params[:advanced_filters],
+ page: params[:page]
+ ),
  method: :patch,
  remote: true,
  class: "button small hollow expanded" %>

diff --git a/app/views/admin/budget_investments/show.html.erb b/app/views/admin/budget_investments/show.html.erb
@@ -6,15 +6,17 @@
 <%= render "written_by_author" %>
 
 <h2 class="inline-block"><%= t("admin.budget_investments.show.preview") %></h2>
-<div class="float-right">
- <%= link_to t("admin.budget_investments.show.edit"),
- edit_admin_budget_budget_investment_path(
- @budget,
- @investment,
- Budget::Investment.filter_params(params).to_h
- ),
- class: "button hollow" unless @budget.finished? %>
-</div>
+<% if can?(:admin_update, @investment) %>
+ <div class="float-right">
+ <%= link_to t("admin.budget_investments.show.edit"),
+ edit_admin_budget_budget_investment_path(
+ @budget,
+ @investment,
+ Budget::Investment.filter_params(params).to_h
+ ),
+ class: "button hollow" %>
+ </div>
+<% end %>
 
 <hr>
 <%= render "/budgets/investments/investment_detail", investment: @investment, preview: true %>
@@ -50,19 +52,26 @@
  <% end %>
 </p>
 
-<p>
- <%= link_to t("admin.budget_investments.show.edit_classification"),
- edit_admin_budget_budget_investment_path(@budget, @investment,
- { anchor: "classification" }.merge(Budget::Investment.filter_params(params).to_h)) unless @budget.finished? %>
-</p>
+<% if can?(:admin_update, @investment) %>
+ <p>
+ <%= link_to t("admin.budget_investments.show.edit_classification"),
+ edit_admin_budget_budget_investment_path(
+ @budget,
+ @investment,
+ { anchor: "classification" }.merge(Budget::Investment.filter_params(params).to_h)
+ ) %>
+ </p>
+<% end %>
 
 <hr>
 
 <h2><%= t("admin.budget_investments.show.dossier") %></h2>
 <%= render "valuation/budget_investments/dossier" %>
-<p>
- <%= link_to t("admin.budget_investments.show.edit_dossier"), edit_valuation_budget_budget_investment_path(@budget, @investment) unless @budget.finished? %>
-</p>
+<% if can?(:valuate, @investment) %>
+ <p>
+ <%= link_to t("admin.budget_investments.show.edit_dossier"), edit_valuation_budget_budget_investment_path(@budget, @investment) %>
+ </p>
+<% end %>
 
 <%= render "valuation/budget_investments/valuation_comments" %>
 

diff --git a/app/views/valuation/budget_investments/show.html.erb b/app/views/valuation/budget_investments/show.html.erb
@@ -3,15 +3,17 @@
 <br>
 
 <h2 class="inline-block"><%= t("admin.budget_investments.show.preview") %></h2>
-<div class="float-right">
- <%= link_to t("admin.budget_investments.show.edit"),
- edit_valuation_budget_budget_investment_path(
- @budget,
- @investment,
- Budget::Investment.filter_params(params)
- ),
- class: "button hollow" unless @budget.finished? %>
-</div>
+<% if can?(:valuate, @investment) %>
+ <div class="float-right">
+ <%= link_to t("admin.budget_investments.show.edit"),
+ edit_valuation_budget_budget_investment_path(
+ @budget,
+ @investment,
+ Budget::Investment.filter_params(params)
+ ),
+ class: "button hollow" %>
+ </div>
+<% end %>
 
 <hr>
 <%= render "/budgets/investments/investment_detail", investment: @investment, preview: true %>

diff --git a/spec/models/abilities/administrator_spec.rb b/spec/models/abilities/administrator_spec.rb
@@ -15,6 +15,7 @@
  let(:comment) { create(:comment) }
  let(:proposal) { create(:proposal, author: user) }
  let(:budget_investment) { create(:budget_investment) }
+ let(:finished_investment) { create(:budget_investment, budget: create(:budget, :finished)) }
  let(:legislation_question) { create(:legislation_question) }
  let(:poll_question) { create(:poll_question) }
 
@@ -77,7 +78,10 @@
  it { should be_able_to(:hide, Budget::Investment) }
 
  it { should be_able_to(:valuate, create(:budget_investment, budget: create(:budget, :valuating))) }
- it { should be_able_to(:valuate, create(:budget_investment, budget: create(:budget, :finished))) }
+ it { should_not be_able_to(:admin_update, finished_investment) }
+ it { should_not be_able_to(:valuate, finished_investment) }
+ it { should_not be_able_to(:comment_valuation, finished_investment) }
+ it { should_not be_able_to(:toggle_selection, finished_investment) }
 
  it { should be_able_to(:destroy, proposal_image) }
  it { should be_able_to(:destroy, proposal_document) }