From 65f4e99a2194103d1ed928dd325858074b10ff67 Mon Sep 17 00:00:00 2001
From: Tim Standen <tim.standen@castironcoding.com>
Date: Thu, 27 Feb 2025 16:51:39 -0800
Subject: [PATCH] add ability for journal editors to manage project grants

---
 api/app/authorizers/entitlement_authorizer.rb   | 2 ++
 api/app/authorizers/project_authorizer.rb       | 6 ++++--
 api/spec/authorizers/project_authorizer_spec.rb | 2 ++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/api/app/authorizers/entitlement_authorizer.rb b/api/app/authorizers/entitlement_authorizer.rb
index 77f1a2df7d..bf118dedfc 100644
--- a/api/app/authorizers/entitlement_authorizer.rb
+++ b/api/app/authorizers/entitlement_authorizer.rb
@@ -58,6 +58,7 @@ def default(_adjective, user, options = {})
     # @param [Hash] options
     # @option options [ApplicationRecord] :for
     def creatable_by?(user, options = {})
+      return false if user.marketeer?
       might_access? user, options
     end
 
@@ -65,6 +66,7 @@ def creatable_by?(user, options = {})
     # @param [Hash] options
     # @option options [ApplicationRecord] :for
     def manageable_by?(user, options = {})
+      return false if user.marketeer?
       might_access? user, options
     end
 
diff --git a/api/app/authorizers/project_authorizer.rb b/api/app/authorizers/project_authorizer.rb
index a99d0ced8d..e11b627276 100644
--- a/api/app/authorizers/project_authorizer.rb
+++ b/api/app/authorizers/project_authorizer.rb
@@ -106,9 +106,10 @@ def project_administered_by?(user, _options = {})
   # @param [User] user
   # @param [Hash] options
   def entitlements_creatable_by?(user, options = {})
+    return false if resource.draft? && !has_any_role?(user, :admin, :editor)
     options ||= {}
 
-    options[:subject] = resource
+    options[:for] = resource
 
     user.can_create? Entitlement, options
   end
@@ -117,9 +118,10 @@ def entitlements_creatable_by?(user, options = {})
   # @param [User] user
   # @param [Hash] options
   def entitlements_manageable_by?(user, options = {})
+    return false if resource.draft? && !has_any_role?(user, :admin, :editor)
     options ||= {}
 
-    options[:subject] = resource
+    options[:for] = resource
 
     user.can_manage? Entitlement, options
   end
diff --git a/api/spec/authorizers/project_authorizer_spec.rb b/api/spec/authorizers/project_authorizer_spec.rb
index 448a77d146..2ddc600a48 100644
--- a/api/spec/authorizers/project_authorizer_spec.rb
+++ b/api/spec/authorizers/project_authorizer_spec.rb
@@ -341,6 +341,8 @@
     it { is_expected.to be_able_to(:read).on(journal_issue.project) }
     it { is_expected.to be_able_to(:update).on(journal_issue.project) }
     it { is_expected.not_to be_able_to(:create).on(journal_issue.project) }
+    it { is_expected.to be_able_to(:manage_entitlements).on(journal_issue.project) }
+    it { is_expected.to be_able_to(:create_entitlements).on(journal_issue.project) }
 
     it "cannot delete a journal issue's project directly (delete the journal issue itself)" do
       is_expected.not_to be_able_to(:delete).on(journal_issue.project)