Only experience-cs admins can update public projects

For the moment, we only want to allow experience-cs admin users to be
able to update public projects.

Author: floehopper

app/controllers/api/public_projects_controller.rb

@@ -19,6 +19,7 @@ def create
     end
 
     def update
+      authorize! :update, :public_project
       result = PublicProject::Update.call(project: @project, update_hash: update_params)
 
       if result.success?

spec/features/public_project/updating_a_public_project_spec.rb

@@ -3,7 +3,7 @@
 require 'rails_helper'
 
 RSpec.describe 'Updating a public project', type: :request do
-  let(:creator) { build(:user) }
+  let(:creator) { build(:experience_cs_admin_user) }
   let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH) }
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
   let(:params) { { project: { name: 'New name' } } }
@@ -24,6 +24,15 @@
     expect(data).to include(name: 'New name')
   end
 
+  context 'when creator is not an experience-cs admin' do
+    let(:creator) { build(:user) }
+
+    it 'responds 403 Forbidden' do
+      put("/api/public_projects/#{project.identifier}?project_type=scratch", headers:, params:)
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
   it 'responds 400 Bad Request when params are malformed' do
     put("/api/public_projects/#{project.identifier}?project_type=scratch", headers:, params: {})
     expect(response).to have_http_status(:bad_request)

spec/requests/public_projects/update_spec.rb

@@ -6,7 +6,7 @@
   let(:locale) { 'fr' }
   let(:project_loader) { instance_double(ProjectLoader) }
   let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH) }
-  let(:creator) { build(:user) }
+  let(:creator) { build(:experience_cs_admin_user) }
   let(:params) { { project: { name: 'New name' } } }
 
   context 'when auth is correct' do