Limit ExCS admin to managing only starter projects

After a review by @chrisroos, we agreed a user with the
"experience-cs-admin" role should:

1. Be able to manage starter (or public) projects, i.e. those that have
  `user_id` set to `nil`.
2. Be able to manage their own projects, i.e. those that have a `user_id`
  matching `User#id`.
3. Not be able to manage another user's projects, i.e. those that have a
  `user_id` that does not match `User#id`.

I've expanded the examples in the `Ability` spec to cover these
scenarios and amended the rules to conform with the spec.

I'm taking "manage" permission as equivalent to the combination of read,
create, update & destroy which covers all the standard RESTful
controller actions.

Point 1 was mostly already covered, except for read permission which
allows access to show & index actions, so I've added that.

Point 2 was already covered by permissions defined in
`Ability#define_authenticated_non_student_abilities`.

I've addressed point 3 by adding the `user_id: nil` constraint to the
rules defined in `Ability#define_experience_cs_admin_abilities`.

I've fixed the relevant examples in
`spec/features/project/updating_a_project_spec.rb` by changing the
project to be a starter project.

I've tweaked the wording of the contexts in the three specs to clarify
that they're about an Experience CS admin creating, updating &
destroying a starter Scratch project which is our use case.

Despite the confusion around `load_and_authorize_resource` discussed
in #553, we're pretty confident that these CanCanCan rules are working
as intended in `Api::ProjectsController`. And the specs seem to back
that up.

Author: floehopper

app/models/ability.rb

@@ -105,9 +105,7 @@ def define_school_student_abilities(user:, school:)
   def define_experience_cs_admin_abilities(user)
     return unless user&.experience_cs_admin?
 
-    can :create, Project
-    can :update, Project
-    can :destroy, Project
+    can %i[read create update destroy], Project, user_id: nil
   end
 
   def school_teacher_can_manage_lesson?(user:, school:, lesson:)

spec/features/project/creating_a_project_spec.rb

@@ -209,7 +209,7 @@
     end
   end
 
-  context 'when the user is an Experience CS admin' do
+  context 'when an Experience CS admin creates a starter Scratch project' do
     let(:experience_cs_admin) { create(:experience_cs_admin_user) }
     let(:params) do
       {

spec/features/project/updating_a_project_spec.rb

@@ -11,7 +11,8 @@
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
   let(:project_type) { Project::Types::PYTHON }
-  let!(:project) { create(:project, name: 'Test Project', user_id: owner.id, locale: 'en', project_type:) }
+  let(:user_id) { owner.id }
+  let!(:project) { create(:project, name: 'Test Project', user_id:, locale: 'en', project_type:) }
   let(:owner) { create(:owner, school:) }
   let(:school) { create(:school) }
 
@@ -55,8 +56,9 @@
     expect(response).to have_http_status(:unauthorized)
   end
 
-  context 'when the user is an Experience CS admin and project type is scratch' do
+  context 'when an Experience CS admin creates a starter Scratch project' do
     let(:experience_cs_admin) { create(:experience_cs_admin_user) }
+    let(:user_id) { nil }
     let(:project_type) { Project::Types::SCRATCH }
     let(:params) { { project: { name: 'Test Project' } } }
 

spec/models/ability_spec.rb

@@ -140,11 +140,29 @@
     end
 
     context 'with an experience-cs admin' do
-      let(:user) { build(:experience_cs_admin_user) }
+      let(:user) { build(:experience_cs_admin_user, id: user_id) }
+      let(:another_project) { build(:project) }
 
-      it { is_expected.to be_able_to(:create, starter_project) }
-      it { is_expected.to be_able_to(:update, starter_project) }
-      it { is_expected.to be_able_to(:destroy, starter_project) }
+      context 'with a starter project' do
+        it { is_expected.to be_able_to(:read, starter_project) }
+        it { is_expected.to be_able_to(:create, starter_project) }
+        it { is_expected.to be_able_to(:update, starter_project) }
+        it { is_expected.to be_able_to(:destroy, starter_project) }
+      end
+
+      context 'with own project' do
+        it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:create, project) }
+        it { is_expected.to be_able_to(:update, project) }
+        it { is_expected.to be_able_to(:destroy, project) }
+      end
+
+      context 'with another user\'s project' do
+        it { is_expected.not_to be_able_to(:read, another_project) }
+        it { is_expected.not_to be_able_to(:create, another_project) }
+        it { is_expected.not_to be_able_to(:update, another_project) }
+        it { is_expected.not_to be_able_to(:destroy, another_project) }
+      end
     end
 
     # rubocop:disable RSpec/MultipleMemoizedHelpers

spec/requests/projects/destroy_spec.rb

@@ -37,7 +37,7 @@
       end
     end
 
-    context 'when experience-cs admin deleting a Scratch starter project' do
+    context 'when an Experience CS admin destroys a starter Scratch project' do
       let(:project) do
         create(
           :project, {