user policy to allow profile edits

test/policies/user_policy_test.rb

@@ -13,25 +13,84 @@ class UserPolicyTest < PolicyAssertions::Test
     assert_equal User.count, scope.count
   end
 
-  test 'should not allow non_admin' do
-    assert_raise Pundit::NotAuthorizedError do
-      UserPolicy::Scope.new(users(:manager), User).resolve
+  test 'should not allow non_admin to scope' do
+    %i(manager reviewer recruiter).each do |role|
+      assert_raise Pundit::NotAuthorizedError, "Failed to raise auth error for #{role}" do
+        UserPolicy::Scope.new(users(role), User).resolve
+      end
     end
   end
 
-  def test_view
-    assert_permit users(:admin), User.first
-
-    refute_permit users(:manager), User.first
-    refute_permit users(:reviewer), User.first
-    refute_permit users(:recruiter), User.first
+  # view?
+  test 'admin can view any user role' do
+    assert_permit users(:admin), users(:admin), 'view?'
+    assert_permit users(:admin), users(:manager), 'view?'
+    assert_permit users(:admin), users(:reviewer), 'view?'
+    assert_permit users(:admin), users(:recruiter), 'view?'
   end
 
-  def test_create_and_update
-    assert_permit users(:admin), User
+  test 'manager can only view herself' do
+    assert_permit users(:manager), users(:manager), 'view?'
 
-    refute_permit users(:manager), User
-    refute_permit users(:reviewer), User
-    refute_permit users(:recruiter), User
+    refute_permit users(:manager), users(:admin), 'view?'
+    refute_permit users(:manager), users(:reviewer), 'view?'
+    refute_permit users(:manager), users(:recruiter), 'view?'
+  end
+
+  test 'reviewer can only view herself' do
+    assert_permit users(:reviewer), users(:reviewer), 'view?'
+
+    refute_permit users(:reviewer), users(:admin), 'view?'
+    refute_permit users(:reviewer), users(:manager), 'view?'
+    refute_permit users(:reviewer), users(:recruiter), 'view?'
+  end
+
+  test 'recruiter can only view herself' do
+    assert_permit users(:recruiter), users(:recruiter), 'view?'
+
+    refute_permit users(:recruiter), users(:admin), 'view?'
+    refute_permit users(:recruiter), users(:manager), 'view?'
+    refute_permit users(:recruiter), users(:reviewer), 'view?'
+  end
+
+  # update?
+  test 'admin can update any user role' do
+    assert_permit users(:admin), users(:admin), 'update?'
+    assert_permit users(:admin), users(:manager), 'update?'
+    assert_permit users(:admin), users(:reviewer), 'update?'
+    assert_permit users(:admin), users(:recruiter), 'update?'
+  end
+
+  test 'manager can only update herself' do
+    assert_permit users(:manager), users(:manager), 'update?'
+
+    refute_permit users(:manager), users(:admin), 'update?'
+    refute_permit users(:manager), users(:reviewer), 'update?'
+    refute_permit users(:manager), users(:recruiter), 'update?'
+  end
+
+  test 'reupdateer can only update herself' do
+    assert_permit users(:reviewer), users(:reviewer), 'update?'
+
+    refute_permit users(:reviewer), users(:admin), 'update?'
+    refute_permit users(:reviewer), users(:manager), 'update?'
+    refute_permit users(:reviewer), users(:recruiter), 'update?'
+  end
+
+  test 'recruiter can only update herself' do
+    assert_permit users(:recruiter), users(:recruiter), 'update?'
+
+    refute_permit users(:recruiter), users(:admin), 'update?'
+    refute_permit users(:recruiter), users(:manager), 'update?'
+    refute_permit users(:recruiter), users(:reviewer), 'update?'
+  end
+
+  # create
+  test 'only admin can create users' do
+    assert_permit users(:admin), User, 'create?'
+
+    refute_permit users(:manager), User, 'create?'
+    refute_permit users(:reviewer), User, 'create?'
+    refute_permit users(:recruiter), User, 'create?'
   end
 end