quiz policies
This commit is contained in:
parent
ead9564fe8
commit
13610edcd1
@ -2,14 +2,16 @@
|
|||||||
module Admin
|
module Admin
|
||||||
class QuizController < AdminController
|
class QuizController < AdminController
|
||||||
def index
|
def index
|
||||||
@quizzes = Quiz.all
|
@quizzes = policy_scope Quiz.all
|
||||||
end
|
end
|
||||||
|
|
||||||
def new
|
def new
|
||||||
@quiz = Quiz.new
|
@quiz = Quiz.new
|
||||||
|
authorize @quiz
|
||||||
end
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
|
authorize Quiz
|
||||||
@quiz = Quiz.create(quiz_params)
|
@quiz = Quiz.create(quiz_params)
|
||||||
|
|
||||||
if @quiz.persisted?
|
if @quiz.persisted?
|
||||||
@ -22,14 +24,17 @@ module Admin
|
|||||||
|
|
||||||
def view
|
def view
|
||||||
@quiz = Quiz.find(params[:quiz_id])
|
@quiz = Quiz.find(params[:quiz_id])
|
||||||
|
authorize @quiz
|
||||||
end
|
end
|
||||||
|
|
||||||
def edit
|
def edit
|
||||||
@quiz = Quiz.find(params[:quiz_id])
|
@quiz = Quiz.find(params[:quiz_id])
|
||||||
|
authorize @quiz
|
||||||
end
|
end
|
||||||
|
|
||||||
def update
|
def update
|
||||||
@quiz = Quiz.find(params[:quiz_id])
|
@quiz = Quiz.find(params[:quiz_id])
|
||||||
|
authorize @quiz
|
||||||
|
|
||||||
if @quiz.update_attributes(quiz_params)
|
if @quiz.update_attributes(quiz_params)
|
||||||
redirect_to admin_quiz_path(@quiz.to_i),
|
redirect_to admin_quiz_path(@quiz.to_i),
|
||||||
|
@ -16,9 +16,23 @@ class User < ApplicationRecord
|
|||||||
end
|
end
|
||||||
|
|
||||||
# TODO: move to mixin: UserRoles
|
# TODO: move to mixin: UserRoles
|
||||||
# define remaining helpers
|
|
||||||
def admin?
|
def admin?
|
||||||
role == 'admin'
|
'admin' == role
|
||||||
|
end
|
||||||
|
|
||||||
|
# TODO: move to mixin: UserRoles
|
||||||
|
def manager?
|
||||||
|
%w(admin manager).include? role
|
||||||
|
end
|
||||||
|
|
||||||
|
# TODO: move to mixin: UserRoles
|
||||||
|
def recruiter?
|
||||||
|
'recruiter' == role
|
||||||
|
end
|
||||||
|
|
||||||
|
# TODO: move to mixin: UserRoles
|
||||||
|
def reviewer?
|
||||||
|
'reviewer' == role
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
31
app/policies/quiz_policy.rb
Normal file
31
app/policies/quiz_policy.rb
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
class QuizPolicy < ApplicationPolicy
|
||||||
|
# Quiz Access Policy
|
||||||
|
#
|
||||||
|
# Only Admins and Managers can create or update a quiz (and its questions)
|
||||||
|
# Reviewers can view any quiz they are linked to
|
||||||
|
# Recruiters can only list quiz names (for candidate assignments)
|
||||||
|
|
||||||
|
def view?
|
||||||
|
return true if user.admin? || user.manager?
|
||||||
|
user.quizzes.include? record
|
||||||
|
end
|
||||||
|
|
||||||
|
def create?
|
||||||
|
user.manager? || user.admin?
|
||||||
|
end
|
||||||
|
|
||||||
|
def update?
|
||||||
|
user.manager? || user.admin?
|
||||||
|
end
|
||||||
|
|
||||||
|
class Scope < Scope
|
||||||
|
def resolve
|
||||||
|
if user.reviewer?
|
||||||
|
scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
|
||||||
|
else
|
||||||
|
scope
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
@ -1,5 +1,9 @@
|
|||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
class UserPolicy < ApplicationPolicy
|
class UserPolicy < ApplicationPolicy
|
||||||
|
# User Access Policy
|
||||||
|
#
|
||||||
|
# Only Admins can view, create, or update, users
|
||||||
|
|
||||||
def view?
|
def view?
|
||||||
user.admin? && show?
|
user.admin? && show?
|
||||||
end
|
end
|
||||||
|
5
test/fixtures/quizzes.yml
vendored
5
test/fixtures/quizzes.yml
vendored
@ -4,3 +4,8 @@ fed:
|
|||||||
name: PDR Standard FED Screening
|
name: PDR Standard FED Screening
|
||||||
unit: PDR
|
unit: PDR
|
||||||
dept: FED
|
dept: FED
|
||||||
|
|
||||||
|
admin:
|
||||||
|
name: An extra quiz not assigned to anyone
|
||||||
|
unit: PDR
|
||||||
|
dept: NOPE
|
||||||
|
47
test/policies/quiz_policy_test.rb
Normal file
47
test/policies/quiz_policy_test.rb
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
require 'test_helper'
|
||||||
|
|
||||||
|
class QuizPolicyTest < PolicyAssertions::Test
|
||||||
|
test 'should require current_user' do
|
||||||
|
assert_raise Pundit::NotAuthorizedError do
|
||||||
|
QuizPolicy.new(nil, Quiz.first).view?
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'should allow admin to scope' do
|
||||||
|
scope = QuizPolicy::Scope.new(users(:admin), Quiz).resolve
|
||||||
|
assert_equal Quiz.count, scope.count
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'should allow manager to scope' do
|
||||||
|
scope = QuizPolicy::Scope.new(users(:manager), Quiz).resolve
|
||||||
|
assert_equal Quiz.count, scope.count
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'should allow reviewer to scope' do
|
||||||
|
scope = QuizPolicy::Scope.new(users(:reviewer), Quiz).resolve
|
||||||
|
assert_equal users(:reviewer).quizzes.count, scope.count
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'should allow recruiter to scope' do
|
||||||
|
scope = QuizPolicy::Scope.new(users(:recruiter), Quiz).resolve
|
||||||
|
assert_equal Quiz.count, scope.count
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_view
|
||||||
|
assert_permit users(:admin), quizzes(:fed)
|
||||||
|
assert_permit users(:manager), quizzes(:fed)
|
||||||
|
assert_permit users(:reviewer), quizzes(:fed)
|
||||||
|
|
||||||
|
refute_permit users(:reviewer), quizzes(:admin)
|
||||||
|
refute_permit users(:recruiter), quizzes(:fed)
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_create_and_update
|
||||||
|
assert_permit users(:admin), Quiz
|
||||||
|
assert_permit users(:manager), Quiz
|
||||||
|
|
||||||
|
refute_permit users(:recruiter), Quiz
|
||||||
|
refute_permit users(:reviewer), Quiz
|
||||||
|
end
|
||||||
|
end
|
@ -20,12 +20,18 @@ class UserPolicyTest < PolicyAssertions::Test
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_view
|
def test_view
|
||||||
refute_permit users(:manager), User.first
|
|
||||||
assert_permit users(:admin), User.first
|
assert_permit users(:admin), User.first
|
||||||
|
|
||||||
|
refute_permit users(:manager), User.first
|
||||||
|
refute_permit users(:reviewer), User.first
|
||||||
|
refute_permit users(:recruiter), User.first
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_create_and_update
|
def test_create_and_update
|
||||||
refute_permit users(:manager), User
|
|
||||||
assert_permit users(:admin), User
|
assert_permit users(:admin), User
|
||||||
|
|
||||||
|
refute_permit users(:manager), User
|
||||||
|
refute_permit users(:reviewer), User
|
||||||
|
refute_permit users(:recruiter), User
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user