Merge pull request rubyforgood#4710 from ciaranc78/disable_edit_organ…

…ization_btn_for_volunteers

apply correct permissions to edit_organization btn in header partial

app/views/layouts/_header.html.erb

@@ -81,12 +81,14 @@
                   Messages
                 <% end %>
               </li>
-              <li>
-                <%= link_to edit_casa_org_path(current_organization) do %>
-                  <i class="lni lni-cogs mr-10"></i>
-                  Edit Organization
-                <% end %>
-              </li>
+              <% if policy(:application).modify_organization? %>
+                <li>
+                  <%= link_to edit_casa_org_path(current_organization) do %>
+                    <i class="lni lni-cogs mr-10"></i>
+                    Edit Organization
+                  <% end %>
+                </li>
+              <% end %>
               <li>
                 <%= link_to destroy_user_session_path do %>
                   <i class="lni lni-exit"></i>

spec/views/layouts/header.html.erb_spec.rb

@@ -8,6 +8,8 @@ def true_user
 RSpec.describe "layout/header", type: :view do
   before do
     view.class.include PretenderContext
+
+    enable_pundit(view, user)
     allow(view).to receive(:true_user).and_return(user)
     allow(view).to receive(:current_user).and_return(user)
     allow(view).to receive(:current_organization).and_return(1)
@@ -54,6 +56,14 @@ def true_user
       expect(rendered).to match CGI.escapeHTML user.display_name
       expect(rendered).to match CGI.escapeHTML user.email
     end
+
+    it "does not render unauthorized links" do
+      sign_in user
+
+      render partial: "layouts/header"
+
+      expect(rendered).to_not have_link("Edit Organization")
+    end
   end
 
   context "notifications" do