39 lines
837 B
Ruby
39 lines
837 B
Ruby
|
# frozen_string_literal: true
|
||
|
class QuestionPolicy < ApplicationPolicy
|
||
|
# Question Access Policy
|
||
|
#
|
||
|
# Only Admins and Managers can create or update a quiz (and its questions)
|
||
|
# Reviewers can view any quiz they are linked to
|
||
|
# Recruiters can NOT list or view questions
|
||
|
|
||
|
def view?
|
||
|
return false if user.recruiter?
|
||
|
return true if user.admin? || user.manager?
|
||
|
user.quizzes.include? record.quiz
|
||
|
end
|
||
|
|
||
|
def create?
|
||
|
user.manager? || user.admin?
|
||
|
end
|
||
|
|
||
|
def update?
|
||
|
user.manager? || user.admin?
|
||
|
end
|
||
|
|
||
|
def options?
|
||
|
!user.recruiter?
|
||
|
end
|
||
|
|
||
|
class Scope < Scope
|
||
|
def resolve
|
||
|
raise(Pundit::NotAuthorizedError, 'No Access to resource.') if user.recruiter?
|
||
|
|
||
|
if user.admin? || user.manager?
|
||
|
scope
|
||
|
else
|
||
|
scope.where(quiz_id: user.quizzes.map(&:id))
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|