updating view access for multi departments

2017-05-04 14:02:41 -05:00
parent 9f43646eaa 3ebb79857e
commit b6cc08ecf9
24 changed files with 329 additions and 27 deletions
--- a/app/controllers/admin/result_controller.rb
+++ b/app/controllers/admin/result_controller.rb
@ -1,20 +1,16 @@
 # frozen_string_literal: true
 module Admin
  class ResultController < AdminController
-    # TODO: change context from Candidate to Quiz
-    # bypass pundit lockdowns until completed
-    after_action :skip_policy_scope
+    # TODO: bypass pundit authorization until a result wrapper class if sorted
    after_action :skip_authorization
-    #
+    # needed for :view

-    # TODO: Limit results to the quizzes current_user has access to
    def index
      sort_case = "(case when review_status = 0 then '' else name end)"
      sort_with_case = sort_column == 'name' ? sort_case : sort_column
-      @candidates = Candidate.where(completed: true)
-                             .includes(:recruiter)
-                             .order("#{sort_with_case} #{sort_direction}")
-                             .page(params[:page])
+      @candidates = policy_scope(:result).includes(:recruiter)
+                                         .order("#{sort_with_case} #{sort_direction}")
+                                         .page(params[:page])
    end

    def view
--- a/app/controllers/candidate_controller.rb
+++ b/app/controllers/candidate_controller.rb
@ -45,6 +45,7 @@ class CandidateController < ApplicationController
    end

    def send_to_oops
+      redirect_to welcome_path and return if current_candidate && current_candidate.stale?
      redirect_to oops_path if current_candidate
    end
 end
--- a/app/models/candidate.rb
+++ b/app/models/candidate.rb
@ -48,6 +48,17 @@ class Candidate < ApplicationRecord
    answers.where(submitted: true)
  end

+  def last_answered_at
+    return Time.current unless submitted_answers.count.positive?
+    submitted_answers.order(updated_at: :desc).first.updated_at
+  end
+
+  def stale?
+    return true unless answers.count.positive?
+    minutes_since_answered = (Time.current.minus_with_coercion(last_answered_at) / 60).round
+    minutes_since_answered > 45
+  end
+
  def answered_questions
    answers.where.not(answer: nil)
           .where("answers.answer not like '%later:%'")
--- a/app/policies/quiz_policy.rb
+++ b/app/policies/quiz_policy.rb
@ -25,10 +25,10 @@ class QuizPolicy < ApplicationPolicy

  class Scope < Scope
    def resolve
-      if user.reviewer?
-        scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
-      else
+      if user.acts_as_recruiter?
        scope
+      else
+        scope.joins(:reviewers).where('reviewer_to_quizzes.user_id = ?', user.id)
      end
    end
  end
--- a/app/policies/result_policy.rb
+++ b/app/policies/result_policy.rb
@ -0,0 +1,41 @@
+# frozen_string_literal: true
+class ResultPolicy < Struct.new(:user, :result)
+  # Result Access Policy
+  #
+  # Only Admins and Recruiters can view all results
+  # Managers and Reviewers can view any completed quiz they are linked to
+
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    raise Pundit::NotAuthorizedError, "Must be logged in." unless user
+    @user = user
+    @record = record
+  end
+
+  def index?
+    true
+  end
+
+  # def view?
+  #   return true if user.acts_as_recruiter?
+  #   user.reviewees.include? record
+  # end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      if user.acts_as_recruiter?
+        Candidate.where(completed: true)
+      else
+        user.reviewees.where(completed: true)
+      end
+    end
+  end
+end