limit quiz and results scopes to current_user access

now managers and reviewers can only see quizzes and completed results for those quizzes they have been assigned to.
2017-05-03 16:25:32 -05:00
parent 49035929fb
commit 255e430abd
6 changed files with 11 additions and 8 deletions
--- a/app/controllers/admin/result_controller.rb
+++ b/app/controllers/admin/result_controller.rb
@ -11,10 +11,10 @@ module Admin
    def index
      sort_case = "(case when review_status = 0 then '' else name end)"
      sort_with_case = sort_column == 'name' ? sort_case : sort_column
-      @candidates = Candidate.where(completed: true)
-                             .includes(:recruiter)
-                             .order("#{sort_with_case} #{sort_direction}")
-                             .page(params[:page])
+      @candidates = current_user.reviewees.where(completed: true)
+                                .includes(:recruiter)
+                                .order("#{sort_with_case} #{sort_direction}")
+                                .page(params[:page])
    end

    def view
--- a/app/policies/quiz_policy.rb
+++ b/app/policies/quiz_policy.rb
@ -25,10 +25,10 @@ class QuizPolicy < ApplicationPolicy

  class Scope < Scope
    def resolve
-      if user.reviewer?
-        scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
-      else
+      if user.acts_as_recruiter?
        scope
+      else
+        scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
      end
    end
  end