app/controllers/decidim/accountability/admin/results_controller.rb in decidim-accountability-0.11.2 vs app/controllers/decidim/accountability/admin/results_controller.rb in decidim-accountability-0.12.0.pre

@@ -6,15 +6,19 @@
       # This controller allows an admin to manage results from a Participatory Process
       class ResultsController < Admin::ApplicationController
         helper_method :results, :parent_result, :parent_results, :statuses
 
         def new
+          enforce_permission_to :create, :result
+
           @form = form(ResultForm).instance
           @form.parent_id = params[:parent_id]
         end
 
         def create
+          enforce_permission_to :create, :result
+
           @form = form(ResultForm).from_params(params)
 
           CreateResult.call(@form) do
             on(:ok) do
               flash[:notice] = I18n.t("results.create.success", scope: "decidim.accountability.admin")
@@ -27,14 +31,18 @@
             end
           end
         end
 
         def edit
+          enforce_permission_to :update, :result, result: result
+
           @form = form(ResultForm).from_model(result)
         end
 
         def update
+          enforce_permission_to :update, :result, result: result
+
           @form = form(ResultForm).from_params(params)
 
           UpdateResult.call(@form, result) do
             on(:ok) do
               flash[:notice] = I18n.t("results.update.success", scope: "decidim.accountability.admin")
@@ -47,9 +55,11 @@
             end
           end
         end
 
         def destroy
+          enforce_permission_to :destroy, :result, result: result
+
           DestroyResult.call(result, current_user) do
             on(:ok) do
               flash[:notice] = I18n.t("results.destroy.success", scope: "decidim.accountability.admin")
 
               redirect_to results_path(parent_id: result.parent_id)