quiz policies

app/policies/quiz_policy.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+class QuizPolicy < ApplicationPolicy
+  # Quiz Access Policy
+  #
+  # Only Admins and Managers can create or update a quiz (and its questions)
+  # Reviewers can view any quiz they are linked to
+  # Recruiters can only list quiz names (for candidate assignments)
+
+  def view?
+    return true if user.admin? || user.manager?
+    user.quizzes.include? record
+  end
+
+  def create?
+    user.manager? || user.admin?
+  end
+
+  def update?
+    user.manager? || user.admin?
+  end
+
+  class Scope < Scope
+    def resolve
+      if user.reviewer?
+        scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
+      else
+        scope
+      end
+    end
+  end
+end

app/policies/user_policy.rb

@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 class UserPolicy < ApplicationPolicy
+  # User Access Policy
+  #
+  # Only Admins can view, create, or update, users
+
   def view?
     user.admin? && show?
   end