Move can_add_reviews logic to a pundit policy and use in request be…

…ta views

This code is for authorization and therefore should be in a
pundit policy.

src/api/app/components/add_review_dropdown_component.rb

@@ -1,15 +1,14 @@
 class AddReviewDropdownComponent < ApplicationComponent
-  def initialize(bs_request:, user:, can_add_reviews:, my_open_reviews:)
+  def initialize(bs_request:, user:, my_open_reviews:)
     super
 
     @bs_request = bs_request
     @user = user
-    @can_add_reviews = can_add_reviews
     @my_open_reviews = my_open_reviews
   end
 
   def render?
-    @can_add_reviews && @my_open_reviews.present?
+    policy(@bs_request).add_reviews? && @my_open_reviews.present?
   end
 
   def reviewer_icon_and_text(review:)

src/api/app/controllers/webui/request_controller.rb

@@ -528,7 +528,6 @@ def prepare_request_data
     @is_target_maintainer = @bs_request.is_target_maintainer?(User.session)
     reviews = @bs_request.reviews.where(state: 'new')
     @my_open_reviews = reviews.select { |review| review.matches_user?(User.session) }
-    @can_add_reviews = @bs_request.state.in?([:new, :review]) && (@is_author || @is_target_maintainer || @my_open_reviews.present?)
 
     @diff_limit = params[:full_diff] ? 0 : nil
     @diff_to_superseded_id = params[:diff_to_superseded]

src/api/app/policies/bs_request_policy.rb

@@ -13,4 +13,11 @@ def handle_request?
     is_author = record.creator == user.login
     record.state.in?([:new, :review, :declined]) && (is_target_maintainer || is_author)
   end
+
+  def add_reviews?
+    is_target_maintainer = record.is_target_maintainer?(user)
+    is_author = record.creator == user.login
+    has_open_reviews = record.reviews.where(state: 'new').select { |review| review.matches_user?(user) }.present?
+    record.state.in?([:new, :review]) && (is_author || is_target_maintainer || has_open_reviews)
+  end
 end

src/api/app/views/webui/request/beta_show.html.haml

@@ -26,7 +26,6 @@
       .row
         = render partial: 'webui/request/beta_show_tabs/conversation_aside',
                 locals: { bs_request: @bs_request,
-                  can_add_reviews: @can_add_reviews,
                   my_open_reviews: @my_open_reviews,
                   request_reviews: @request_reviews,
                   package_maintainers: @package_maintainers,

src/api/app/views/webui/request/beta_show_tabs/_ask_for_review.html.haml

@@ -1,5 +1,4 @@
-- if can_add_reviews
-  %button.btn.btn-outline-secondary.btn-sm{ data: { 'bs-toggle': 'modal', 'bs-target': '#add-reviewer-modal' }, title: 'Add Reviewer' }
-    %i.fas.fa-plus-circle.me-1.text-outline-secondary
-    %span.nav-item-name Add Reviewer
-  = render partial: 'add_reviewer_dialog'
+%button.btn.btn-outline-secondary.btn-sm{ data: { 'bs-toggle': 'modal', 'bs-target': '#add-reviewer-modal' }, title: 'Add Reviewer' }
+  %i.fas.fa-plus-circle.me-1.text-outline-secondary
+  %span.nav-item-name Add Reviewer
+= render partial: 'add_reviewer_dialog'

src/api/app/views/webui/request/beta_show_tabs/_conversation_aside.html.haml

@@ -3,16 +3,15 @@
   - if request_reviews.present?
     .mt-4
       .text-end
-        = render AddReviewDropdownComponent.new(bs_request: bs_request, user: User.session,
-                                              can_add_reviews: can_add_reviews,
-                                              my_open_reviews: my_open_reviews)
+        = render AddReviewDropdownComponent.new(bs_request: bs_request, user: User.session, my_open_reviews: my_open_reviews)
       = render AddReviewCollapsibleComponent.new
       .mb-2
         %h6
           Reviewers
       .mb-4
         = render partial: 'webui/request/beta_show_tabs/review_summary', collection: request_reviews, as: :review
-  = render partial: 'webui/request/beta_show_tabs/ask_for_review', locals: { can_add_reviews: can_add_reviews }
+  - if policy(bs_request).add_reviews?
+    = render partial: 'webui/request/beta_show_tabs/ask_for_review'
 
   -# PACKAGE MAINTAINERS
   - unless package_maintainers.empty?