# frozen_string_literal: true class QuestionPolicy < ApplicationPolicy # Question Access Policy # # Only Admins and Managers can create or update a quiz (and its questions) # Reviewers can view any quiz they are linked to # Recruiters can NOT list or view questions def view? return false if user.recruiter? return true if user.admin? || user.manager? user.quizzes.include? record.quiz end def create? user.manager? || user.admin? end def update? user.manager? || user.admin? end def options? !user.recruiter? end class Scope < Scope def resolve raise(Pundit::NotAuthorizedError, 'No Access to resource.') if user.recruiter? if user.admin? || user.manager? scope else scope.where(quiz_id: user.quizzes.map(&:id)) end end end end