app/policies/todo_policy.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# frozen_string_literal: true

class TodoPolicy < BasePolicy
  desc 'User can only read own todos'
  condition(:own_todo) do
    @user && @subject.user_id == @user.id
  end

  desc "User can read the todo's target"
  condition(:can_read_target) do
    @user && @subject.target&.readable_by?(@user)
  end

  desc "Todo has confidential note"
  condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? }

  desc "User can read the todo's confidential note"
  condition(:can_read_todo_confidential_note) do
    @user && @user.can?(:read_internal_note, @subject.target)
  end

  rule { own_todo & can_read_target }.enable :read_todo
  rule { can?(:read_todo) }.enable :update_todo

  rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do
    prevent :read_todo
    prevent :update_todo
  end
end