limit quiz and results scopes to current_user access

now managers and reviewers can only see quizzes and completed results for those quizzes they have been assigned to.
2017-05-03 16:25:32 -05:00 · 2017-05-03 16:25:32 -05:00 · 255e430abd
commit 255e430abd
parent 49035929fb
6 changed files with 11 additions and 8 deletions
--- a/1
+++ b/1
@ -54,6 +54,7 @@ group :development, :test do
  gem 'byebug', platform: :mri
  gem 'pry-byebug'
  gem 'pry-rails'
  gem 'table_print'
  gem 'faker'
  gem 'brakeman'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -280,6 +280,7 @@ GEM
      actionpack (>= 4.0)
      activesupport (>= 4.0)
      sprockets (>= 3.0.0)
    table_print (1.5.6)
    thor (0.19.4)
    thread_safe (0.3.5)
    tilt (2.0.5)
@ -348,6 +349,7 @@ DEPENDENCIES
  simplecov
  spring
  spring-watcher-listen (~> 2.0.0)
  table_print
  turbolinks (~> 5)
  tzinfo-data
  uglifier (>= 1.3.0)
--- a/app/controllers/admin/result_controller.rb
+++ b/app/controllers/admin/result_controller.rb
@ -11,10 +11,10 @@ module Admin
    def index
      sort_case = "(case when review_status = 0 then '' else name end)"
      sort_with_case = sort_column == 'name' ? sort_case : sort_column
-      @candidates = Candidate.where(completed: true)
+      @candidates = current_user.reviewees.where(completed: true)
-                             .includes(:recruiter)
+                                .includes(:recruiter)
-                             .order("#{sort_with_case} #{sort_direction}")
+                                .order("#{sort_with_case} #{sort_direction}")
-                             .page(params[:page])
+                                .page(params[:page])
    end
    def view
--- a/app/policies/quiz_policy.rb
+++ b/app/policies/quiz_policy.rb
@ -25,10 +25,10 @@ class QuizPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
-      if user.reviewer?
+      if user.acts_as_recruiter?
        scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
      else
        scope
      else
        scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
      end
    end
  end
--- a/erd.pdf
+++ b/erd.pdf
--- a/test/policies/quiz_policy_test.rb
+++ b/test/policies/quiz_policy_test.rb
@ -15,7 +15,7 @@ class QuizPolicyTest < PolicyAssertions::Test
  test 'should allow manager to scope' do
    scope = QuizPolicy::Scope.new(users(:manager), Quiz).resolve
-    assert_equal Quiz.count, scope.count
+    assert_equal users(:manager).quizzes.count, scope.count
  end
  test 'should allow reviewer to scope' do