Fork: 0
opidor / dmpopidor
Transfer to URL with SHA Find file
Newer
Older
dmpopidor / app / policies / user_policy.rb
@Jose Lloret Jose Lloret on 31 May 2018 1 KB update_email_preferences action only authorized for signed_in user. DMPRoadmap/roadmap#1514
Raw Blame History 
class UserPolicy < ApplicationPolicy
  attr_reader :signed_in_user
  attr_reader :user

  def initialize(signed_in_user, user)
    raise Pundit::NotAuthorizedError, "must be logged in" unless signed_in_user
    @signed_in_user = signed_in_user
    @user = user
  end

  def index?
    admin_index?
  end

  def admin_index?
    signed_in_user.can_grant_permissions?
  end

  def admin_grant_permissions?
    (signed_in_user.can_grant_permissions? && user.org_id == signed_in_user.org_id) || signed_in_user.can_super_admin?
  end

  def admin_update_permissions?
    (signed_in_user.can_grant_permissions? && user.org_id == signed_in_user.org_id) || signed_in_user.can_super_admin?
  end

  # Allows the user to swap their org affiliation on the fly
  def org_swap?
    signed_in_user.can_super_admin?
  end

  def activate?
    signed_in_user.can_super_admin?
  end

  def edit?
    signed_in_user.can_super_admin?
  end

  def update?
    signed_in_user.can_super_admin?
  end

  def update_email_preferences?
    true
  end

  def acknowledge_notification?
    true
  end

  class Scope < Scope
    def resolve
      scope.where(org_id: user.org_id)
    end
  end
end