39 lines
837 B
Ruby
39 lines
837 B
Ruby
# frozen_string_literal: true
|
|
class QuestionPolicy < ApplicationPolicy
|
|
# Question Access Policy
|
|
#
|
|
# Only Admins and Managers can create or update a quiz (and its questions)
|
|
# Reviewers can view any quiz they are linked to
|
|
# Recruiters can NOT list or view questions
|
|
|
|
def view?
|
|
return false if user.recruiter?
|
|
return true if user.admin? || user.manager?
|
|
user.quizzes.include? record.quiz
|
|
end
|
|
|
|
def create?
|
|
user.manager? || user.admin?
|
|
end
|
|
|
|
def update?
|
|
user.manager? || user.admin?
|
|
end
|
|
|
|
def options?
|
|
!user.recruiter?
|
|
end
|
|
|
|
class Scope < Scope
|
|
def resolve
|
|
raise(Pundit::NotAuthorizedError, 'No Access to resource.') if user.recruiter?
|
|
|
|
if user.admin? || user.manager?
|
|
scope
|
|
else
|
|
scope.where(quiz_id: user.quizzes.map(&:id))
|
|
end
|
|
end
|
|
end
|
|
end
|