user policy to allow profile edits
This commit is contained in:
parent
8ad98215c1
commit
75a4fbf71a
@ -2,14 +2,17 @@
|
|||||||
module Admin
|
module Admin
|
||||||
class ProfileController < AdminController
|
class ProfileController < AdminController
|
||||||
def view
|
def view
|
||||||
|
authorize current_user
|
||||||
end
|
end
|
||||||
|
|
||||||
def edit
|
def edit
|
||||||
@user = current_user
|
@user = current_user
|
||||||
|
authorize @user
|
||||||
end
|
end
|
||||||
|
|
||||||
def update
|
def update
|
||||||
@user = current_user
|
@user = current_user
|
||||||
|
authorize @user
|
||||||
|
|
||||||
if @user.update_attributes(user_params)
|
if @user.update_attributes(user_params)
|
||||||
redirect_to admin_profile_path,
|
redirect_to admin_profile_path,
|
||||||
|
@ -4,8 +4,8 @@ class AdminController < ApplicationController
|
|||||||
layout 'admin'
|
layout 'admin'
|
||||||
before_action :authorize_user
|
before_action :authorize_user
|
||||||
|
|
||||||
# TODO: after_action :verify_authorized, except: :index
|
# after_action :verify_authorized, except: :index
|
||||||
# TODO: after_action :verify_policy_scoped, only: :index
|
# after_action :verify_policy_scoped, only: :index
|
||||||
|
|
||||||
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
|
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
|
||||||
|
|
||||||
|
@ -3,9 +3,10 @@ class UserPolicy < ApplicationPolicy
|
|||||||
# User Access Policy
|
# User Access Policy
|
||||||
#
|
#
|
||||||
# Only Admins can view, create, or update, users
|
# Only Admins can view, create, or update, users
|
||||||
|
# All other users can only access themselves (profile interface)
|
||||||
|
|
||||||
def view?
|
def view?
|
||||||
user.admin? && show?
|
user.admin? || user == record
|
||||||
end
|
end
|
||||||
|
|
||||||
def create?
|
def create?
|
||||||
@ -13,7 +14,7 @@ class UserPolicy < ApplicationPolicy
|
|||||||
end
|
end
|
||||||
|
|
||||||
def update?
|
def update?
|
||||||
user.admin?
|
user.admin? || user == record
|
||||||
end
|
end
|
||||||
|
|
||||||
class Scope < Scope
|
class Scope < Scope
|
||||||
|
@ -13,25 +13,84 @@ class UserPolicyTest < PolicyAssertions::Test
|
|||||||
assert_equal User.count, scope.count
|
assert_equal User.count, scope.count
|
||||||
end
|
end
|
||||||
|
|
||||||
test 'should not allow non_admin' do
|
test 'should not allow non_admin to scope' do
|
||||||
assert_raise Pundit::NotAuthorizedError do
|
%i(manager reviewer recruiter).each do |role|
|
||||||
UserPolicy::Scope.new(users(:manager), User).resolve
|
assert_raise Pundit::NotAuthorizedError, "Failed to raise auth error for #{role}" do
|
||||||
|
UserPolicy::Scope.new(users(role), User).resolve
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_view
|
# view?
|
||||||
assert_permit users(:admin), User.first
|
test 'admin can view any user role' do
|
||||||
|
assert_permit users(:admin), users(:admin), 'view?'
|
||||||
refute_permit users(:manager), User.first
|
assert_permit users(:admin), users(:manager), 'view?'
|
||||||
refute_permit users(:reviewer), User.first
|
assert_permit users(:admin), users(:reviewer), 'view?'
|
||||||
refute_permit users(:recruiter), User.first
|
assert_permit users(:admin), users(:recruiter), 'view?'
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_create_and_update
|
test 'manager can only view herself' do
|
||||||
assert_permit users(:admin), User
|
assert_permit users(:manager), users(:manager), 'view?'
|
||||||
|
|
||||||
refute_permit users(:manager), User
|
refute_permit users(:manager), users(:admin), 'view?'
|
||||||
refute_permit users(:reviewer), User
|
refute_permit users(:manager), users(:reviewer), 'view?'
|
||||||
refute_permit users(:recruiter), User
|
refute_permit users(:manager), users(:recruiter), 'view?'
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'reviewer can only view herself' do
|
||||||
|
assert_permit users(:reviewer), users(:reviewer), 'view?'
|
||||||
|
|
||||||
|
refute_permit users(:reviewer), users(:admin), 'view?'
|
||||||
|
refute_permit users(:reviewer), users(:manager), 'view?'
|
||||||
|
refute_permit users(:reviewer), users(:recruiter), 'view?'
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'recruiter can only view herself' do
|
||||||
|
assert_permit users(:recruiter), users(:recruiter), 'view?'
|
||||||
|
|
||||||
|
refute_permit users(:recruiter), users(:admin), 'view?'
|
||||||
|
refute_permit users(:recruiter), users(:manager), 'view?'
|
||||||
|
refute_permit users(:recruiter), users(:reviewer), 'view?'
|
||||||
|
end
|
||||||
|
|
||||||
|
# update?
|
||||||
|
test 'admin can update any user role' do
|
||||||
|
assert_permit users(:admin), users(:admin), 'update?'
|
||||||
|
assert_permit users(:admin), users(:manager), 'update?'
|
||||||
|
assert_permit users(:admin), users(:reviewer), 'update?'
|
||||||
|
assert_permit users(:admin), users(:recruiter), 'update?'
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'manager can only update herself' do
|
||||||
|
assert_permit users(:manager), users(:manager), 'update?'
|
||||||
|
|
||||||
|
refute_permit users(:manager), users(:admin), 'update?'
|
||||||
|
refute_permit users(:manager), users(:reviewer), 'update?'
|
||||||
|
refute_permit users(:manager), users(:recruiter), 'update?'
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'reupdateer can only update herself' do
|
||||||
|
assert_permit users(:reviewer), users(:reviewer), 'update?'
|
||||||
|
|
||||||
|
refute_permit users(:reviewer), users(:admin), 'update?'
|
||||||
|
refute_permit users(:reviewer), users(:manager), 'update?'
|
||||||
|
refute_permit users(:reviewer), users(:recruiter), 'update?'
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'recruiter can only update herself' do
|
||||||
|
assert_permit users(:recruiter), users(:recruiter), 'update?'
|
||||||
|
|
||||||
|
refute_permit users(:recruiter), users(:admin), 'update?'
|
||||||
|
refute_permit users(:recruiter), users(:manager), 'update?'
|
||||||
|
refute_permit users(:recruiter), users(:reviewer), 'update?'
|
||||||
|
end
|
||||||
|
|
||||||
|
# create
|
||||||
|
test 'only admin can create users' do
|
||||||
|
assert_permit users(:admin), User, 'create?'
|
||||||
|
|
||||||
|
refute_permit users(:manager), User, 'create?'
|
||||||
|
refute_permit users(:reviewer), User, 'create?'
|
||||||
|
refute_permit users(:recruiter), User, 'create?'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user