quiz policies

This commit is contained in:
Mark Moser 2016-09-20 17:19:11 -05:00
parent ead9564fe8
commit 13610edcd1
7 changed files with 117 additions and 5 deletions

View File

@ -2,14 +2,16 @@
module Admin module Admin
class QuizController < AdminController class QuizController < AdminController
def index def index
@quizzes = Quiz.all @quizzes = policy_scope Quiz.all
end end
def new def new
@quiz = Quiz.new @quiz = Quiz.new
authorize @quiz
end end
def create def create
authorize Quiz
@quiz = Quiz.create(quiz_params) @quiz = Quiz.create(quiz_params)
if @quiz.persisted? if @quiz.persisted?
@ -22,14 +24,17 @@ module Admin
def view def view
@quiz = Quiz.find(params[:quiz_id]) @quiz = Quiz.find(params[:quiz_id])
authorize @quiz
end end
def edit def edit
@quiz = Quiz.find(params[:quiz_id]) @quiz = Quiz.find(params[:quiz_id])
authorize @quiz
end end
def update def update
@quiz = Quiz.find(params[:quiz_id]) @quiz = Quiz.find(params[:quiz_id])
authorize @quiz
if @quiz.update_attributes(quiz_params) if @quiz.update_attributes(quiz_params)
redirect_to admin_quiz_path(@quiz.to_i), redirect_to admin_quiz_path(@quiz.to_i),

View File

@ -16,9 +16,23 @@ class User < ApplicationRecord
end end
# TODO: move to mixin: UserRoles # TODO: move to mixin: UserRoles
# define remaining helpers
def admin? def admin?
role == 'admin' 'admin' == role
end
# TODO: move to mixin: UserRoles
def manager?
%w(admin manager).include? role
end
# TODO: move to mixin: UserRoles
def recruiter?
'recruiter' == role
end
# TODO: move to mixin: UserRoles
def reviewer?
'reviewer' == role
end end
private private

View File

@ -0,0 +1,31 @@
# frozen_string_literal: true
class QuizPolicy < ApplicationPolicy
# Quiz Access Policy
#
# Only Admins and Managers can create or update a quiz (and its questions)
# Reviewers can view any quiz they are linked to
# Recruiters can only list quiz names (for candidate assignments)
def view?
return true if user.admin? || user.manager?
user.quizzes.include? record
end
def create?
user.manager? || user.admin?
end
def update?
user.manager? || user.admin?
end
class Scope < Scope
def resolve
if user.reviewer?
scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
else
scope
end
end
end
end

View File

@ -1,5 +1,9 @@
# frozen_string_literal: true # frozen_string_literal: true
class UserPolicy < ApplicationPolicy class UserPolicy < ApplicationPolicy
# User Access Policy
#
# Only Admins can view, create, or update, users
def view? def view?
user.admin? && show? user.admin? && show?
end end

View File

@ -4,3 +4,8 @@ fed:
name: PDR Standard FED Screening name: PDR Standard FED Screening
unit: PDR unit: PDR
dept: FED dept: FED
admin:
name: An extra quiz not assigned to anyone
unit: PDR
dept: NOPE

View File

@ -0,0 +1,47 @@
# frozen_string_literal: true
require 'test_helper'
class QuizPolicyTest < PolicyAssertions::Test
test 'should require current_user' do
assert_raise Pundit::NotAuthorizedError do
QuizPolicy.new(nil, Quiz.first).view?
end
end
test 'should allow admin to scope' do
scope = QuizPolicy::Scope.new(users(:admin), Quiz).resolve
assert_equal Quiz.count, scope.count
end
test 'should allow manager to scope' do
scope = QuizPolicy::Scope.new(users(:manager), Quiz).resolve
assert_equal Quiz.count, scope.count
end
test 'should allow reviewer to scope' do
scope = QuizPolicy::Scope.new(users(:reviewer), Quiz).resolve
assert_equal users(:reviewer).quizzes.count, scope.count
end
test 'should allow recruiter to scope' do
scope = QuizPolicy::Scope.new(users(:recruiter), Quiz).resolve
assert_equal Quiz.count, scope.count
end
def test_view
assert_permit users(:admin), quizzes(:fed)
assert_permit users(:manager), quizzes(:fed)
assert_permit users(:reviewer), quizzes(:fed)
refute_permit users(:reviewer), quizzes(:admin)
refute_permit users(:recruiter), quizzes(:fed)
end
def test_create_and_update
assert_permit users(:admin), Quiz
assert_permit users(:manager), Quiz
refute_permit users(:recruiter), Quiz
refute_permit users(:reviewer), Quiz
end
end

View File

@ -20,12 +20,18 @@ class UserPolicyTest < PolicyAssertions::Test
end end
def test_view def test_view
refute_permit users(:manager), User.first
assert_permit users(:admin), User.first assert_permit users(:admin), User.first
refute_permit users(:manager), User.first
refute_permit users(:reviewer), User.first
refute_permit users(:recruiter), User.first
end end
def test_create_and_update def test_create_and_update
refute_permit users(:manager), User
assert_permit users(:admin), User assert_permit users(:admin), User
refute_permit users(:manager), User
refute_permit users(:reviewer), User
refute_permit users(:recruiter), User
end end
end end