quiz policies
This commit is contained in:
Mark Moser
@ -2,14 +2,16 @@
|
||||
module Admin
|
||||
class QuizController < AdminController
|
||||
def index
|
||||
@quizzes = Quiz.all
|
||||
@quizzes = policy_scope Quiz.all
|
||||
end
|
||||
|
||||
def new
|
||||
@quiz = Quiz.new
|
||||
authorize @quiz
|
||||
end
|
||||
|
||||
def create
|
||||
authorize Quiz
|
||||
@quiz = Quiz.create(quiz_params)
|
||||
|
||||
if @quiz.persisted?
|
||||
@ -22,14 +24,17 @@ module Admin
|
||||
|
||||
def view
|
||||
@quiz = Quiz.find(params[:quiz_id])
|
||||
authorize @quiz
|
||||
end
|
||||
|
||||
def edit
|
||||
@quiz = Quiz.find(params[:quiz_id])
|
||||
authorize @quiz
|
||||
end
|
||||
|
||||
def update
|
||||
@quiz = Quiz.find(params[:quiz_id])
|
||||
authorize @quiz
|
||||
|
||||
if @quiz.update_attributes(quiz_params)
|
||||
redirect_to admin_quiz_path(@quiz.to_i),
|
||||
|
||||
@ -16,9 +16,23 @@ class User < ApplicationRecord
|
||||
end
|
||||
|
||||
# TODO: move to mixin: UserRoles
|
||||
# define remaining helpers
|
||||
def admin?
|
||||
role == 'admin'
|
||||
'admin' == role
|
||||
end
|
||||
|
||||
# TODO: move to mixin: UserRoles
|
||||
def manager?
|
||||
%w(admin manager).include? role
|
||||
end
|
||||
|
||||
# TODO: move to mixin: UserRoles
|
||||
def recruiter?
|
||||
'recruiter' == role
|
||||
end
|
||||
|
||||
# TODO: move to mixin: UserRoles
|
||||
def reviewer?
|
||||
'reviewer' == role
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
31
app/policies/quiz_policy.rb
Normal file
31
app/policies/quiz_policy.rb
Normal file
@ -0,0 +1,31 @@
|
||||
# frozen_string_literal: true
|
||||
class QuizPolicy < ApplicationPolicy
|
||||
# Quiz Access Policy
|
||||
#
|
||||
# Only Admins and Managers can create or update a quiz (and its questions)
|
||||
# Reviewers can view any quiz they are linked to
|
||||
# Recruiters can only list quiz names (for candidate assignments)
|
||||
|
||||
def view?
|
||||
return true if user.admin? || user.manager?
|
||||
user.quizzes.include? record
|
||||
end
|
||||
|
||||
def create?
|
||||
user.manager? || user.admin?
|
||||
end
|
||||
|
||||
def update?
|
||||
user.manager? || user.admin?
|
||||
end
|
||||
|
||||
class Scope < Scope
|
||||
def resolve
|
||||
if user.reviewer?
|
||||
scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
|
||||
else
|
||||
scope
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@ -1,5 +1,9 @@
|
||||
# frozen_string_literal: true
|
||||
class UserPolicy < ApplicationPolicy
|
||||
# User Access Policy
|
||||
#
|
||||
# Only Admins can view, create, or update, users
|
||||
|
||||
def view?
|
||||
user.admin? && show?
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user