# frozen_string_literal: true class UserPolicy < ApplicationPolicy # User Access Policy # # Only Admins can view, create, or update, users # All other users can only access themselves (profile interface) def index? user.admin? end def view? user.admin? || user == record end def create? user.admin? end def update? user.admin? || user == record end def permitted_attributes return [:name, :email, :role, :password, quiz_ids: []] if user.admin? [:name, :email, :password, :password_confirmation] end class Scope < Scope def resolve return scope if user.admin? scope.where(id: user.id) end end end