question policies

app/controllers/admin/question_controller.rb

@@ -2,16 +2,20 @@
 module Admin
   class QuestionController < AdminController
     def index
-      @questions = Question.includes(:quiz).order("quizzes.name", { active: :desc }, :sort)
+      @questions = policy_scope Question.includes(:quiz).order("quizzes.name", { active: :desc }, :sort)
     end
 
     def new
+      authorize Question
+
       @question = Question.new(active: true)
-      @quizzes = Quiz.all
+      @quizzes = policy_scope Quiz.all
     end
 
     def create
-      @quizzes = Quiz.all
+      authorize Quiz
+
+      @quizzes = policy_scope Quiz.all
       @question = Question.create(process_question_params)
 
       if @question.persisted?
@@ -24,16 +28,20 @@ module Admin
 
     def view
       @question = Question.includes(:quiz).find(params[:question_id])
+      authorize @question
     end
 
     def edit
-      @quizzes = Quiz.all
+      @quizzes = policy_scope Quiz.all
       @question = Question.includes(:quiz).find(params[:question_id])
+
+      authorize @question
     end
 
     def update
-      @quizzes = Quiz.all
+      @quizzes = policy_scope Quiz.all
       @question = Question.find(params[:question_id])
+      authorize @question
 
       if @question.update_attributes(process_question_params)
         redirect_to admin_question_path(@question.to_i),
@@ -46,6 +54,7 @@ module Admin
 
     def options
       @question = params[:question_id].present? ? Question.find(params[:question_id]) : Question.new
+      authorize @question
       render layout: false
     end
 

app/controllers/admin/quiz_controller.rb

@@ -6,8 +6,8 @@ module Admin
     end
 
     def new
+      authorize Quiz
       @quiz = Quiz.new
-      authorize @quiz
     end
 
     def create

app/policies/question_policy.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+class QuestionPolicy < ApplicationPolicy
+  # Question Access Policy
+  #
+  # Only Admins and Managers can create or update a quiz (and its questions)
+  # Reviewers can view any quiz they are linked to
+  # Recruiters can NOT list or view questions
+
+  def view?
+    return false if user.recruiter?
+    return true if user.admin? || user.manager?
+    user.quizzes.include? record.quiz
+  end
+
+  def create?
+    user.manager? || user.admin?
+  end
+
+  def update?
+    user.manager? || user.admin?
+  end
+
+  def options?
+    !user.recruiter?
+  end
+
+  class Scope < Scope
+    def resolve
+      raise(Pundit::NotAuthorizedError, 'No Access to resource.') if user.recruiter?
+
+      if user.admin? || user.manager?
+        scope
+      else
+        scope.where(quiz_id: user.quizzes.map(&:id))
+      end
+    end
+  end
+end