Introduce permission for updating public projects

I plan to use this to restrict updating public projects to experience-cs
admin users.

Author: floehopper

app/models/ability.rb

@@ -103,7 +103,10 @@ def define_school_student_abilities(user:, school:)
   end
 
   def define_experience_cs_admin_abilities(user)
-    can :create, :public_project if user.experience_cs_admin?
+    return unless user.experience_cs_admin?
+
+    can :create, :public_project
+    can :update, :public_project
   end
 
   def school_teacher_can_manage_lesson?(user:, school:, lesson:)

spec/models/ability_spec.rb

@@ -31,6 +31,7 @@
       end
 
       it { is_expected.not_to be_able_to(:create, :public_project) }
+      it { is_expected.not_to be_able_to(:update, :public_project) }
     end
 
     context 'with a standard user' do
@@ -60,6 +61,7 @@
       end
 
       it { is_expected.not_to be_able_to(:create, :public_project) }
+      it { is_expected.not_to be_able_to(:update, :public_project) }
     end
 
     context 'with a teacher' do
@@ -89,6 +91,7 @@
       end
 
       it { is_expected.not_to be_able_to(:create, :public_project) }
+      it { is_expected.not_to be_able_to(:update, :public_project) }
     end
 
     context 'with an owner' do
@@ -118,6 +121,7 @@
       end
 
       it { is_expected.not_to be_able_to(:create, :public_project) }
+      it { is_expected.not_to be_able_to(:update, :public_project) }
     end
 
     context 'with a student' do
@@ -147,12 +151,14 @@
       end
 
       it { is_expected.not_to be_able_to(:create, :public_project) }
+      it { is_expected.not_to be_able_to(:update, :public_project) }
     end
 
     context 'with an experience-cs admin' do
       let(:user) { build(:experience_cs_admin_user) }
 
       it { is_expected.to be_able_to(:create, :public_project) }
+      it { is_expected.to be_able_to(:update, :public_project) }
     end
 
     # rubocop:disable RSpec/MultipleMemoizedHelpers