user policy to allow profile edits

This commit is contained in:
Mark Moser 2016-09-21 11:03:45 -05:00
parent 8ad98215c1
commit 75a4fbf71a
4 changed files with 81 additions and 18 deletions

View File

@ -2,14 +2,17 @@
module Admin module Admin
class ProfileController < AdminController class ProfileController < AdminController
def view def view
authorize current_user
end end
def edit def edit
@user = current_user @user = current_user
authorize @user
end end
def update def update
@user = current_user @user = current_user
authorize @user
if @user.update_attributes(user_params) if @user.update_attributes(user_params)
redirect_to admin_profile_path, redirect_to admin_profile_path,

View File

@ -4,8 +4,8 @@ class AdminController < ApplicationController
layout 'admin' layout 'admin'
before_action :authorize_user before_action :authorize_user
# TODO: after_action :verify_authorized, except: :index # after_action :verify_authorized, except: :index
# TODO: after_action :verify_policy_scoped, only: :index # after_action :verify_policy_scoped, only: :index
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

View File

@ -3,9 +3,10 @@ class UserPolicy < ApplicationPolicy
# User Access Policy # User Access Policy
# #
# Only Admins can view, create, or update, users # Only Admins can view, create, or update, users
# All other users can only access themselves (profile interface)
def view? def view?
user.admin? && show? user.admin? || user == record
end end
def create? def create?
@ -13,7 +14,7 @@ class UserPolicy < ApplicationPolicy
end end
def update? def update?
user.admin? user.admin? || user == record
end end
class Scope < Scope class Scope < Scope

View File

@ -13,25 +13,84 @@ class UserPolicyTest < PolicyAssertions::Test
assert_equal User.count, scope.count assert_equal User.count, scope.count
end end
test 'should not allow non_admin' do test 'should not allow non_admin to scope' do
assert_raise Pundit::NotAuthorizedError do %i(manager reviewer recruiter).each do |role|
UserPolicy::Scope.new(users(:manager), User).resolve assert_raise Pundit::NotAuthorizedError, "Failed to raise auth error for #{role}" do
UserPolicy::Scope.new(users(role), User).resolve
end
end end
end end
def test_view # view?
assert_permit users(:admin), User.first test 'admin can view any user role' do
assert_permit users(:admin), users(:admin), 'view?'
refute_permit users(:manager), User.first assert_permit users(:admin), users(:manager), 'view?'
refute_permit users(:reviewer), User.first assert_permit users(:admin), users(:reviewer), 'view?'
refute_permit users(:recruiter), User.first assert_permit users(:admin), users(:recruiter), 'view?'
end end
def test_create_and_update test 'manager can only view herself' do
assert_permit users(:admin), User assert_permit users(:manager), users(:manager), 'view?'
refute_permit users(:manager), User refute_permit users(:manager), users(:admin), 'view?'
refute_permit users(:reviewer), User refute_permit users(:manager), users(:reviewer), 'view?'
refute_permit users(:recruiter), User refute_permit users(:manager), users(:recruiter), 'view?'
end
test 'reviewer can only view herself' do
assert_permit users(:reviewer), users(:reviewer), 'view?'
refute_permit users(:reviewer), users(:admin), 'view?'
refute_permit users(:reviewer), users(:manager), 'view?'
refute_permit users(:reviewer), users(:recruiter), 'view?'
end
test 'recruiter can only view herself' do
assert_permit users(:recruiter), users(:recruiter), 'view?'
refute_permit users(:recruiter), users(:admin), 'view?'
refute_permit users(:recruiter), users(:manager), 'view?'
refute_permit users(:recruiter), users(:reviewer), 'view?'
end
# update?
test 'admin can update any user role' do
assert_permit users(:admin), users(:admin), 'update?'
assert_permit users(:admin), users(:manager), 'update?'
assert_permit users(:admin), users(:reviewer), 'update?'
assert_permit users(:admin), users(:recruiter), 'update?'
end
test 'manager can only update herself' do
assert_permit users(:manager), users(:manager), 'update?'
refute_permit users(:manager), users(:admin), 'update?'
refute_permit users(:manager), users(:reviewer), 'update?'
refute_permit users(:manager), users(:recruiter), 'update?'
end
test 'reupdateer can only update herself' do
assert_permit users(:reviewer), users(:reviewer), 'update?'
refute_permit users(:reviewer), users(:admin), 'update?'
refute_permit users(:reviewer), users(:manager), 'update?'
refute_permit users(:reviewer), users(:recruiter), 'update?'
end
test 'recruiter can only update herself' do
assert_permit users(:recruiter), users(:recruiter), 'update?'
refute_permit users(:recruiter), users(:admin), 'update?'
refute_permit users(:recruiter), users(:manager), 'update?'
refute_permit users(:recruiter), users(:reviewer), 'update?'
end
# create
test 'only admin can create users' do
assert_permit users(:admin), User, 'create?'
refute_permit users(:manager), User, 'create?'
refute_permit users(:reviewer), User, 'create?'
refute_permit users(:recruiter), User, 'create?'
end end
end end