a simple comment policy

app/policies/quiz_comment_policy.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+class QuizCommentPolicy < ApplicationPolicy
+  # Quiz Comment Policy
+  #
+  # Anyone with access to the results can comment
+  # Only Comment owner can edit
+
+  def create?
+    user.acts_as_reviewer?
+  end
+
+  def update?
+    user.acts_as_reviewer? && user.id == record.user_id
+  end
+
+  class Scope < Scope
+    def resolve
+      true
+    end
+  end
+end

test/policies/quiz_comment_policy_test.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'test_helper'
+
+class QuizCommentPolicyTest < PolicyAssertions::Test
+  test 'should require current_user' do
+    assert_raise Pundit::NotAuthorizedError do
+      QuizCommentPolicy.new(nil, User.first).create?
+    end
+  end
+
+  def test_create
+    assert_permit users(:admin), QuizComment
+    assert_permit users(:manager), QuizComment
+    assert_permit users(:reviewer), QuizComment
+
+    refute_permit users(:recruiter), QuizComment
+  end
+
+  def test_update
+    assert_permit users(:reviewer2), quiz_comments(:com6)
+
+    refute_permit users(:reviewer), quiz_comments(:com6)
+    refute_permit users(:manager), quiz_comments(:com6)
+    refute_permit users(:admin), quiz_comments(:com6)
+    refute_permit users(:recruiter), quiz_comments(:com6)
+  end
+end