user policy to allow profile edits

app/controllers/admin/profile_controller.rb

@@ -2,14 +2,17 @@
 module Admin
   class ProfileController < AdminController
     def view
+      authorize current_user
     end
 
     def edit
       @user = current_user
+      authorize @user
     end
 
     def update
       @user = current_user
+      authorize @user
 
       if @user.update_attributes(user_params)
         redirect_to admin_profile_path,

app/controllers/admin_controller.rb

@@ -4,8 +4,8 @@ class AdminController < ApplicationController
   layout 'admin'
   before_action :authorize_user
 
-  # TODO: after_action :verify_authorized, except: :index
-  # TODO: after_action :verify_policy_scoped, only: :index
+  # after_action :verify_authorized, except: :index
+  # after_action :verify_policy_scoped, only: :index
 
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
 

app/policies/user_policy.rb

@@ -3,9 +3,10 @@ class UserPolicy < ApplicationPolicy
   # User Access Policy
   #
   # Only Admins can view, create, or update, users
+  # All other users can only access themselves (profile interface)
 
   def view?
-    user.admin? && show?
+    user.admin? || user == record
   end
 
   def create?
@@ -13,7 +14,7 @@ class UserPolicy < ApplicationPolicy
   end
 
   def update?
-    user.admin?
+    user.admin? || user == record
   end
 
   class Scope < Scope

test/policies/user_policy_test.rb

@@ -13,25 +13,84 @@ class UserPolicyTest < PolicyAssertions::Test
     assert_equal User.count, scope.count
   end
 
-  test 'should not allow non_admin' do
-    assert_raise Pundit::NotAuthorizedError do
-      UserPolicy::Scope.new(users(:manager), User).resolve
+  test 'should not allow non_admin to scope' do
+    %i(manager reviewer recruiter).each do |role|
+      assert_raise Pundit::NotAuthorizedError, "Failed to raise auth error for #{role}" do
+        UserPolicy::Scope.new(users(role), User).resolve
+      end
     end
   end
 
-  def test_view
-    assert_permit users(:admin), User.first
-
-    refute_permit users(:manager), User.first
-    refute_permit users(:reviewer), User.first
-    refute_permit users(:recruiter), User.first
+  # view?
+  test 'admin can view any user role' do
+    assert_permit users(:admin), users(:admin), 'view?'
+    assert_permit users(:admin), users(:manager), 'view?'
+    assert_permit users(:admin), users(:reviewer), 'view?'
+    assert_permit users(:admin), users(:recruiter), 'view?'
   end
 
-  def test_create_and_update
-    assert_permit users(:admin), User
+  test 'manager can only view herself' do
+    assert_permit users(:manager), users(:manager), 'view?'
 
-    refute_permit users(:manager), User
-    refute_permit users(:reviewer), User
-    refute_permit users(:recruiter), User
+    refute_permit users(:manager), users(:admin), 'view?'
+    refute_permit users(:manager), users(:reviewer), 'view?'
+    refute_permit users(:manager), users(:recruiter), 'view?'
+  end
+
+  test 'reviewer can only view herself' do
+    assert_permit users(:reviewer), users(:reviewer), 'view?'
+
+    refute_permit users(:reviewer), users(:admin), 'view?'
+    refute_permit users(:reviewer), users(:manager), 'view?'
+    refute_permit users(:reviewer), users(:recruiter), 'view?'
+  end
+
+  test 'recruiter can only view herself' do
+    assert_permit users(:recruiter), users(:recruiter), 'view?'
+
+    refute_permit users(:recruiter), users(:admin), 'view?'
+    refute_permit users(:recruiter), users(:manager), 'view?'
+    refute_permit users(:recruiter), users(:reviewer), 'view?'
+  end
+
+  # update?
+  test 'admin can update any user role' do
+    assert_permit users(:admin), users(:admin), 'update?'
+    assert_permit users(:admin), users(:manager), 'update?'
+    assert_permit users(:admin), users(:reviewer), 'update?'
+    assert_permit users(:admin), users(:recruiter), 'update?'
+  end
+
+  test 'manager can only update herself' do
+    assert_permit users(:manager), users(:manager), 'update?'
+
+    refute_permit users(:manager), users(:admin), 'update?'
+    refute_permit users(:manager), users(:reviewer), 'update?'
+    refute_permit users(:manager), users(:recruiter), 'update?'
+  end
+
+  test 'reupdateer can only update herself' do
+    assert_permit users(:reviewer), users(:reviewer), 'update?'
+
+    refute_permit users(:reviewer), users(:admin), 'update?'
+    refute_permit users(:reviewer), users(:manager), 'update?'
+    refute_permit users(:reviewer), users(:recruiter), 'update?'
+  end
+
+  test 'recruiter can only update herself' do
+    assert_permit users(:recruiter), users(:recruiter), 'update?'
+
+    refute_permit users(:recruiter), users(:admin), 'update?'
+    refute_permit users(:recruiter), users(:manager), 'update?'
+    refute_permit users(:recruiter), users(:reviewer), 'update?'
+  end
+
+  # create
+  test 'only admin can create users' do
+    assert_permit users(:admin), User, 'create?'
+
+    refute_permit users(:manager), User, 'create?'
+    refute_permit users(:reviewer), User, 'create?'
+    refute_permit users(:recruiter), User, 'create?'
   end
 end