Less confusing example of authorization

Currently, the route `payments#index` exists but is disallowed to all
users. This is probably in order to provide a context to the
authorization spec, but I think it's confusing.

Now that we have an authentication mechanism, we can use this to provide
a clearer (I hope) authorization spec and a less confusing app.

Author: pablobm

spec/example_app/app/policies/payment_policy.rb

@@ -1,6 +1,6 @@
 class PaymentPolicy < ApplicationPolicy
   def index?
-    false
+    user.admin?
   end
 
   def create?

spec/features/authorization_spec.rb

@@ -22,16 +22,25 @@ def show?
     Product.policy_class = @original_product_policy
   end
 
-  it "shows link to resource for which index? is authorized" do
-    visit admin_customers_path
-    navigation = find(".navigation")
-    expect(navigation).to have_link("Products")
-  end
+  describe "navigation" do
+    def navigation
+      visit admin_customers_path
+      find(".navigation")
+    end
+
+    def become_user(customer)
+      visit become_admin_customer_path(customer)
+    end
 
-  it "hides link to resource for which index? is not authorized" do
-    visit admin_customers_path
-    navigation = find(".navigation")
-    expect(navigation).not_to have_link("Payments")
+    it "shows links to sections with authorized index" do
+      expect(navigation).to have_link("Payments")
+    end
+
+    it "hides links to sections without authorized index" do
+      customer = create(:customer, name: "Non Admin")
+      become_user(customer)
+      expect(navigation).not_to have_link("Payments")
+    end
   end
 
   it "renders all results yielded by the scope" do