starting a result policy

This commit is contained in:
Mark Moser 2017-05-04 14:02:11 -05:00
parent e009fc3330
commit 3ebb79857e
3 changed files with 73 additions and 9 deletions

View File

@ -1,18 +1,14 @@
# frozen_string_literal: true # frozen_string_literal: true
module Admin module Admin
class ResultController < AdminController class ResultController < AdminController
# TODO: change context from Candidate to Quiz # TODO: bypass pundit authorization until a result wrapper class if sorted
# bypass pundit lockdowns until completed
after_action :skip_policy_scope
after_action :skip_authorization after_action :skip_authorization
# # needed for :view
# TODO: Limit results to the quizzes current_user has access to
def index def index
sort_case = "(case when review_status = 0 then '' else name end)" sort_case = "(case when review_status = 0 then '' else name end)"
sort_with_case = sort_column == 'name' ? sort_case : sort_column sort_with_case = sort_column == 'name' ? sort_case : sort_column
@candidates = current_user.reviewees.where(completed: true) @candidates = policy_scope(:result).includes(:recruiter)
.includes(:recruiter)
.order("#{sort_with_case} #{sort_direction}") .order("#{sort_with_case} #{sort_direction}")
.page(params[:page]) .page(params[:page])
end end

View File

@ -0,0 +1,41 @@
# frozen_string_literal: true
class ResultPolicy < Struct.new(:user, :result)
# Result Access Policy
#
# Only Admins and Recruiters can view all results
# Managers and Reviewers can view any completed quiz they are linked to
attr_reader :user, :record
def initialize(user, record)
raise Pundit::NotAuthorizedError, "Must be logged in." unless user
@user = user
@record = record
end
def index?
true
end
# def view?
# return true if user.acts_as_recruiter?
# user.reviewees.include? record
# end
class Scope
attr_reader :user, :scope
def initialize(user, scope)
@user = user
@scope = scope
end
def resolve
if user.acts_as_recruiter?
Candidate.where(completed: true)
else
user.reviewees.where(completed: true)
end
end
end
end

View File

@ -0,0 +1,27 @@
# frozen_string_literal: true
require 'test_helper'
class ResultPolicyTest < PolicyAssertions::Test
def test_index
assert_permit users(:admin), :result
assert_permit users(:recruiter), :result
assert_permit users(:manager), :result
assert_permit users(:reviewer), :result
end
test 'should allow admin to scope' do
scope = ResultPolicy::Scope.new(users(:admin), Candidate).resolve
assert_equal Candidate.where(completed: true).count, scope.count
end
test 'should allow recruiter to scope' do
scope = ResultPolicy::Scope.new(users(:recruiter), Candidate).resolve
assert_equal Candidate.where(completed: true).count, scope.count
end
test 'should not allow fed.reviewer to scope studio results' do
reviewer = users(:reviewer)
scope = ResultPolicy::Scope.new(reviewer, Candidate).resolve
assert_equal reviewer.reviewees.where(completed: true).count, scope.count
end
end