limit quiz and results scopes to current_user access

now managers and reviewers can only see quizzes and completed results for those quizzes they have been assigned to.
This commit is contained in:
Mark Moser 2017-05-03 16:25:32 -05:00
parent 49035929fb
commit 255e430abd
6 changed files with 11 additions and 8 deletions

View File

@ -54,6 +54,7 @@ group :development, :test do
gem 'byebug', platform: :mri gem 'byebug', platform: :mri
gem 'pry-byebug' gem 'pry-byebug'
gem 'pry-rails' gem 'pry-rails'
gem 'table_print'
gem 'faker' gem 'faker'
gem 'brakeman' gem 'brakeman'

View File

@ -280,6 +280,7 @@ GEM
actionpack (>= 4.0) actionpack (>= 4.0)
activesupport (>= 4.0) activesupport (>= 4.0)
sprockets (>= 3.0.0) sprockets (>= 3.0.0)
table_print (1.5.6)
thor (0.19.4) thor (0.19.4)
thread_safe (0.3.5) thread_safe (0.3.5)
tilt (2.0.5) tilt (2.0.5)
@ -348,6 +349,7 @@ DEPENDENCIES
simplecov simplecov
spring spring
spring-watcher-listen (~> 2.0.0) spring-watcher-listen (~> 2.0.0)
table_print
turbolinks (~> 5) turbolinks (~> 5)
tzinfo-data tzinfo-data
uglifier (>= 1.3.0) uglifier (>= 1.3.0)

View File

@ -11,7 +11,7 @@ module Admin
def index def index
sort_case = "(case when review_status = 0 then '' else name end)" sort_case = "(case when review_status = 0 then '' else name end)"
sort_with_case = sort_column == 'name' ? sort_case : sort_column sort_with_case = sort_column == 'name' ? sort_case : sort_column
@candidates = Candidate.where(completed: true) @candidates = current_user.reviewees.where(completed: true)
.includes(:recruiter) .includes(:recruiter)
.order("#{sort_with_case} #{sort_direction}") .order("#{sort_with_case} #{sort_direction}")
.page(params[:page]) .page(params[:page])

View File

@ -25,10 +25,10 @@ class QuizPolicy < ApplicationPolicy
class Scope < Scope class Scope < Scope
def resolve def resolve
if user.reviewer? if user.acts_as_recruiter?
scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
else
scope scope
else
scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
end end
end end
end end

BIN
erd.pdf

Binary file not shown.

View File

@ -15,7 +15,7 @@ class QuizPolicyTest < PolicyAssertions::Test
test 'should allow manager to scope' do test 'should allow manager to scope' do
scope = QuizPolicy::Scope.new(users(:manager), Quiz).resolve scope = QuizPolicy::Scope.new(users(:manager), Quiz).resolve
assert_equal Quiz.count, scope.count assert_equal users(:manager).quizzes.count, scope.count
end end
test 'should allow reviewer to scope' do test 'should allow reviewer to scope' do