diff --git a/app/controllers/admin/profile_controller.rb b/app/controllers/admin/profile_controller.rb index 27b9761..ef118f7 100644 --- a/app/controllers/admin/profile_controller.rb +++ b/app/controllers/admin/profile_controller.rb @@ -2,14 +2,17 @@ module Admin class ProfileController < AdminController def view + authorize current_user end def edit @user = current_user + authorize @user end def update @user = current_user + authorize @user if @user.update_attributes(user_params) redirect_to admin_profile_path, diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 0deebc0..d8a0b69 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -4,8 +4,8 @@ class AdminController < ApplicationController layout 'admin' before_action :authorize_user - # TODO: after_action :verify_authorized, except: :index - # TODO: after_action :verify_policy_scoped, only: :index + # after_action :verify_authorized, except: :index + # after_action :verify_policy_scoped, only: :index rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 61be4d4..dad8c7f 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -3,9 +3,10 @@ class UserPolicy < ApplicationPolicy # User Access Policy # # Only Admins can view, create, or update, users + # All other users can only access themselves (profile interface) def view? - user.admin? && show? + user.admin? || user == record end def create? @@ -13,7 +14,7 @@ class UserPolicy < ApplicationPolicy end def update? - user.admin? + user.admin? || user == record end class Scope < Scope diff --git a/test/policies/user_policy_test.rb b/test/policies/user_policy_test.rb index e2514d4..2bd3b54 100644 --- a/test/policies/user_policy_test.rb +++ b/test/policies/user_policy_test.rb @@ -13,25 +13,84 @@ class UserPolicyTest < PolicyAssertions::Test assert_equal User.count, scope.count end - test 'should not allow non_admin' do - assert_raise Pundit::NotAuthorizedError do - UserPolicy::Scope.new(users(:manager), User).resolve + test 'should not allow non_admin to scope' do + %i(manager reviewer recruiter).each do |role| + assert_raise Pundit::NotAuthorizedError, "Failed to raise auth error for #{role}" do + UserPolicy::Scope.new(users(role), User).resolve + end end end - def test_view - assert_permit users(:admin), User.first - - refute_permit users(:manager), User.first - refute_permit users(:reviewer), User.first - refute_permit users(:recruiter), User.first + # view? + test 'admin can view any user role' do + assert_permit users(:admin), users(:admin), 'view?' + assert_permit users(:admin), users(:manager), 'view?' + assert_permit users(:admin), users(:reviewer), 'view?' + assert_permit users(:admin), users(:recruiter), 'view?' end - def test_create_and_update - assert_permit users(:admin), User + test 'manager can only view herself' do + assert_permit users(:manager), users(:manager), 'view?' - refute_permit users(:manager), User - refute_permit users(:reviewer), User - refute_permit users(:recruiter), User + refute_permit users(:manager), users(:admin), 'view?' + refute_permit users(:manager), users(:reviewer), 'view?' + refute_permit users(:manager), users(:recruiter), 'view?' + end + + test 'reviewer can only view herself' do + assert_permit users(:reviewer), users(:reviewer), 'view?' + + refute_permit users(:reviewer), users(:admin), 'view?' + refute_permit users(:reviewer), users(:manager), 'view?' + refute_permit users(:reviewer), users(:recruiter), 'view?' + end + + test 'recruiter can only view herself' do + assert_permit users(:recruiter), users(:recruiter), 'view?' + + refute_permit users(:recruiter), users(:admin), 'view?' + refute_permit users(:recruiter), users(:manager), 'view?' + refute_permit users(:recruiter), users(:reviewer), 'view?' + end + + # update? + test 'admin can update any user role' do + assert_permit users(:admin), users(:admin), 'update?' + assert_permit users(:admin), users(:manager), 'update?' + assert_permit users(:admin), users(:reviewer), 'update?' + assert_permit users(:admin), users(:recruiter), 'update?' + end + + test 'manager can only update herself' do + assert_permit users(:manager), users(:manager), 'update?' + + refute_permit users(:manager), users(:admin), 'update?' + refute_permit users(:manager), users(:reviewer), 'update?' + refute_permit users(:manager), users(:recruiter), 'update?' + end + + test 'reupdateer can only update herself' do + assert_permit users(:reviewer), users(:reviewer), 'update?' + + refute_permit users(:reviewer), users(:admin), 'update?' + refute_permit users(:reviewer), users(:manager), 'update?' + refute_permit users(:reviewer), users(:recruiter), 'update?' + end + + test 'recruiter can only update herself' do + assert_permit users(:recruiter), users(:recruiter), 'update?' + + refute_permit users(:recruiter), users(:admin), 'update?' + refute_permit users(:recruiter), users(:manager), 'update?' + refute_permit users(:recruiter), users(:reviewer), 'update?' + end + + # create + test 'only admin can create users' do + assert_permit users(:admin), User, 'create?' + + refute_permit users(:manager), User, 'create?' + refute_permit users(:reviewer), User, 'create?' + refute_permit users(:recruiter), User, 'create?' end end