Users & Auth

app/policies/application_policy.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      scope.all
+    end
+  end
+end

app/policies/user_policy.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+class UserPolicy < ApplicationPolicy
+  def show?
+    raise Pundit::NotAuthorizedError if user.nil?
+    return true if user&.acts_as_admin?
+
+    user == record
+  end
+
+  def update?
+    raise Pundit::NotAuthorizedError if user.nil?
+
+    show?
+  end
+
+  def destroy?
+    raise Pundit::NotAuthorizedError if user.nil?
+
+    user&.acts_as_admin?
+  end
+
+  def create?
+    raise Pundit::NotAuthorizedError if user.nil?
+
+    user&.acts_as_admin?
+  end
+
+  def permitted_attributes
+    return base_attributes + %i[role] if user&.acts_as_admin?
+
+    base_attributes
+  end
+
+  def base_attributes
+    %i[
+      display_name
+      email
+      password
+      password_confirmation
+    ]
+  end
+
+  class Scope < Scope
+    def resolve
+      raise Pundit::NotAuthorizedError if user.nil?
+      return scope if user.acts_as_admin?
+
+      scope.where(id: user.id)
+    end
+  end
+end