starting a result policy

app/controllers/admin/result_controller.rb

@@ -1,20 +1,16 @@
 # frozen_string_literal: true
 module Admin
   class ResultController < AdminController
-    # TODO: change context from Candidate to Quiz
+    # TODO: bypass pundit authorization until a result wrapper class if sorted
-    # bypass pundit lockdowns until completed
-    after_action :skip_policy_scope
     after_action :skip_authorization
-    #
+    # needed for :view
 
-    # TODO: Limit results to the quizzes current_user has access to
     def index
       sort_case = "(case when review_status = 0 then '' else name end)"
       sort_with_case = sort_column == 'name' ? sort_case : sort_column
-      @candidates = current_user.reviewees.where(completed: true)
+      @candidates = policy_scope(:result).includes(:recruiter)
-                                .includes(:recruiter)
+                                         .order("#{sort_with_case} #{sort_direction}")
-                                .order("#{sort_with_case} #{sort_direction}")
+                                         .page(params[:page])
-                                .page(params[:page])
     end
 
     def view

app/policies/result_policy.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+class ResultPolicy < Struct.new(:user, :result)
+  # Result Access Policy
+  #
+  # Only Admins and Recruiters can view all results
+  # Managers and Reviewers can view any completed quiz they are linked to
+
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    raise Pundit::NotAuthorizedError, "Must be logged in." unless user
+    @user = user
+    @record = record
+  end
+
+  def index?
+    true
+  end
+
+  # def view?
+  #   return true if user.acts_as_recruiter?
+  #   user.reviewees.include? record
+  # end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      if user.acts_as_recruiter?
+        Candidate.where(completed: true)
+      else
+        user.reviewees.where(completed: true)
+      end
+    end
+  end
+end

test/policies/result_policy_test.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'test_helper'
+
+class ResultPolicyTest < PolicyAssertions::Test
+  def test_index
+    assert_permit users(:admin), :result
+    assert_permit users(:recruiter), :result
+    assert_permit users(:manager), :result
+    assert_permit users(:reviewer), :result
+  end
+
+  test 'should allow admin to scope' do
+    scope = ResultPolicy::Scope.new(users(:admin), Candidate).resolve
+    assert_equal Candidate.where(completed: true).count, scope.count
+  end
+
+  test 'should allow recruiter to scope' do
+    scope = ResultPolicy::Scope.new(users(:recruiter), Candidate).resolve
+    assert_equal Candidate.where(completed: true).count, scope.count
+  end
+
+  test 'should not allow fed.reviewer to scope studio results' do
+    reviewer = users(:reviewer)
+    scope = ResultPolicy::Scope.new(reviewer, Candidate).resolve
+    assert_equal reviewer.reviewees.where(completed: true).count, scope.count
+  end
+end