user policies

app/controllers/admin/user_controller.rb

@@ -2,14 +2,16 @@
 module Admin
   class UserController < AdminController
     def index
-      @users = User.order(:name)
+      @users = policy_scope User.order(:name)
     end
 
     def new
       @user = User.new
+      authorize @user
     end
 
     def create
+      authorize User
       default_passwd = SecureRandom.urlsafe_base64(12)
       @user = User.create({ password: default_passwd }.merge(user_params.to_h))
 
@@ -24,14 +26,17 @@ module Admin
 
     def view
       @user = User.find(params[:user_id])
+      authorize @user
     end
 
     def edit
       @user = User.find(params[:user_id])
+      authorize @user
     end
 
     def update
       @user = User.find(params[:user_id])
+      authorize @user
 
       if @user.update_attributes(user_params)
         redirect_to admin_user_path(@user.to_i),

app/controllers/admin_controller.rb

@@ -4,8 +4,12 @@ class AdminController < ApplicationController
   layout 'admin'
   before_action :authorize_user
 
+  # TODO: after_action :verify_authorized, except: :index
+  # TODO: after_action :verify_policy_scoped, only: :index
+
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
 
+  # TODO: move to DashboardController#index
   def dashboard
     authorize :admin, :dashboard?
     @quizzes = Quiz.includes(:questions).all
@@ -25,6 +29,6 @@ class AdminController < ApplicationController
 
     def user_not_authorized
       flash[:error] = "You are not authorized to perform this action."
-      redirect_to(request.referer || root_path)
+      redirect_to(request.referer || admin_login_path)
     end
 end

app/models/user.rb

@@ -15,6 +15,12 @@ class User < ApplicationRecord
     save
   end
 
+  # TODO: move to mixin: UserRoles
+  #       define remaining helpers
+  def admin?
+    role == 'admin'
+  end
+
   private
 
     def gen_reset_token

app/policies/application_policy.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    raise Pundit::NotAuthorizedError, "Must be logged in." unless user
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    scope.where(id: record.id).exists?
+  end
+
+  def view?
+    show?
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  def scope
+    Pundit.policy_scope!(user, record.class)
+  end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      # This is a closed system.
+      raise Pundit::NotAuthorizedError, "No access to resource."
+    end
+  end
+end

app/policies/user_policy.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+class UserPolicy < ApplicationPolicy
+  def view?
+    user.admin? && show?
+  end
+
+  def create?
+    user.admin?
+  end
+
+  def update?
+    user.admin?
+  end
+
+  class Scope < Scope
+    def resolve
+      return scope if user.admin?
+      raise Pundit::NotAuthorizedError, "No access to resource."
+    end
+  end
+end