jfinucane · July 1, 2016 14:03
diff --git a/gistfile1.txt b/gistfile1.txt
 =begin

 What is the Problem?
  Enroll App has about ten roles; the user has asked for twenty.
  Authorization to EA functionality would ideally be a separate concern fromt the application
  Current authorization is mingled into the app in ad hoc manner.

 What is Pundit?'
  Policy classes with inheritance
  Syntactic sugar grabs current_user
   - authorize object, method  (raises Pundit::NotAuthorizedError)
   - policy(object).method     (returns boolean)
   - policy_scope(object)   (can return Mongo criteria)   

 Initial Strategy 
 - create whitelist policy directories for the key models like Family, Person, CensusEmployee, Organization
 - Step 1 demonstrate creation of a read only role
 - Step 2 review the pattern
 - Step 3 more CSR roles   
 - Step 4 more admin roles
 =end
 class FamilyPolicy < ApplicationPolicy
  def save?
    return false if user.read_only?
  end
 end


 class FamilyMembersPolicy < FamilyPolicy
  def save?
    super
  end
 end
  
 class SpecialEnrollmentPeriodsPolicy < FamilyPolicy
  def save?
    super
  end
 end
  
 class BrokerAgencyAccountsPolicy < FamilyPolicy
  def save?
    super
  end
 end

 #app/profiles/family/hbx_enrollment_exemption_policy.rb
 class HbxEnrollmentExemptionPolicy < FamilyMembersPolicy
  def save?
    super
  end
  def update?
    super
 	#other conditions for user and this record
  end
 end

 class FamiliesController < ApplicationController
  def create
    @family = Family.new(family_params)
 	authorize @family, :save?
 	
  def update
    authorize @family, :save? 
    respond_to do |format|  
 	 ...
  end
 end

 =begin -------------- All the policies are available in views

 #app/views/employers/census_employees/show.html.erb:

  <% if policy(@census_employee).view_ssn? %>
  SSN: <%= number_to_obscured_ssn @census_employee.ssn %><br/>
  <% end %>
  
 =end  ---------------- 

 class EmployerProfilePolicy < OrganizationPolicy
  class Scope
    def resolve
      if user.admin?
        scope.all
      else
        scope.where('employer_profile_id' => user.get_the_employer_profile_id_somehow )
      end
    end
  end
 end	
 	
 def index
  @employers = policy_scope(EmployerProfile)
 end
	=begin

	What is the Problem?
	Enroll App has about ten roles; the user has asked for twenty.
	Authorization to EA functionality would ideally be a separate concern fromt the application
	Current authorization is mingled into the app in ad hoc manner.

	What is Pundit?'
	Policy classes with inheritance
	Syntactic sugar grabs current_user
	- authorize object, method (raises Pundit::NotAuthorizedError)
	- policy(object).method (returns boolean)
	- policy_scope(object) (can return Mongo criteria)

	Initial Strategy
	- create whitelist policy directories for the key models like Family, Person, CensusEmployee, Organization
	- Step 1 demonstrate creation of a read only role
	- Step 2 review the pattern
	- Step 3 more CSR roles
	- Step 4 more admin roles
	=end
	class FamilyPolicy < ApplicationPolicy
	def save?
	return false if user.read_only?
	end
	end


	class FamilyMembersPolicy < FamilyPolicy
	def save?
	super
	end
	end

	class SpecialEnrollmentPeriodsPolicy < FamilyPolicy
	def save?
	super
	end
	end

	class BrokerAgencyAccountsPolicy < FamilyPolicy
	def save?
	super
	end
	end

	#app/profiles/family/hbx_enrollment_exemption_policy.rb
	class HbxEnrollmentExemptionPolicy < FamilyMembersPolicy
	def save?
	super
	end
	def update?
	super
	#other conditions for user and this record
	end
	end

	class FamiliesController < ApplicationController
	def create
	@family = Family.new(family_params)
	authorize @family, :save?

	def update
	authorize @family, :save?
	respond_to do \|format\|
	...
	end
	end

	=begin -------------- All the policies are available in views

	#app/views/employers/census_employees/show.html.erb:

	<% if policy(@census_employee).view_ssn? %>
	SSN: <%= number_to_obscured_ssn @census_employee.ssn %><br/>
	<% end %>

	=end ----------------

	class EmployerProfilePolicy < OrganizationPolicy
	class Scope
	def resolve
	if user.admin?
	scope.all
	else
	scope.where('employer_profile_id' => user.get_the_employer_profile_id_somehow )
	end
	end
	end
	end

	def index
	@employers = policy_scope(EmployerProfile)
	end