# frozen_string_literal: true class UserPolicy < ApplicationPolicy # User Access Policy # # Only Admins can view, create, or update, users # All other users can only access themselves (profile interface) def view? user.admin? || user == record end def create? user.admin? end def update? user.admin? || user == record end def permitted_attributes return [:name, :email, :role, :password, quiz_ids: []] if user.admin? [:name, :email, :password, :password_confirmation] end class Scope < Scope def resolve return scope if user.admin? raise Pundit::NotAuthorizedError, "No access to resource." end end end