Document modules

Permissions and RichTypes

2 files changed, 42 insertions, 14 deletions

diff --git a/app/models/answer.rb b/app/models/answer.rb
index c086bf4..6e31c4d 100644
--- a/app/models/answer.rb
+++ b/app/models/answer.rb
@@ -45,29 +45,42 @@ class Answer < ActiveRecord::Base
   after_create :notify_new_answer
   after_update :notify_changed_answer
 
-  multi_permission :update, :destroy do
+  def update_permitted?
     # It's fine to change correct, because it's ignored in non-email answers
     # and email answers have separate permissions
-    (owned? && !reference && !approved) ||
-    (reference && acting_user.role.is_recruiter?) ||
-    (only_changed?(:approved, :correct) && owner.mentor_is?(acting_user))
+    return true if owned? && !reference && !approved
+    return true if reference && acting_user.role.is_recruiter?
+    return true if only_changed?(:approved, :correct) && owner.mentor_is?(acting_user)
+
+    false
+  end
+
+  def destroy_permitted?
+    return true if owned? && !reference
+    return true if reference && acting_user.role.is_recruiter?
+
+    false
   end
 
   def create_permitted?
-    (owned_soft? && !reference)||(reference && acting_user.role.is_recruiter?)
+    return true if owned_soft? && !reference && !approved
+    return true if reference && acting_user.role.is_recruiter?
+    false
   end
 
   # Proper edit permissions can't be deduced, because we need to access value
   # of some fields to set them
   def edit_permitted?(field)
-    owned_soft? ||
-    owner.mentor_is?(acting_user) ||
-    (reference && acting_user.signed_up? && acting_user.role.is_recruiter?)
+    return true if owned_soft?
+    return true if owner.mentor_is?(acting_user)
+    return true if reference && acting_user.signed_up? && acting_user.role.is_recruiter?
+    false
   end
 
   def content_edit_permitted?
-    owned_soft? ||
-    (reference && acting_user.signed_up? && acting_user.role.is_recruiter?)
+    return true if owned_soft?
+    return true if reference && acting_user.signed_up? && acting_user.role.is_recruiter?
+    false
   end
 
   def feedback_edit_permitted?
@@ -83,9 +96,10 @@ class Answer < ActiveRecord::Base
   end
 
   def view_permitted?(field)
-    owned_soft? ||
-      acting_user.role.is_recruiter? ||
-      owner._?.mentor_is?(acting_user)
+    return true if owned_soft?
+    return true if acting_user.role.is_recruiter?
+    return true if owner.mentor_is?(acting_user)
+    false
   end
 
   # Returns hash containing updated answer attributes.
diff --git a/spec/models/answer_spec.rb b/spec/models/answer_spec.rb
index e5e127e..9a60bb8 100644
--- a/spec/models/answer_spec.rb
+++ b/spec/models/answer_spec.rb
@@ -217,7 +217,7 @@ describe Answer do
   end
 
   it "should allow editing of reference only to recruiters on new answers" do
-    answer = Answer.new(:reference => true)
+    answer = Answer.new(:reference => true, :owner => Factory(:recruiter))
     answer.should     be_editable_by(Factory(:recruiter), :reference)
     answer.should_not be_editable_by(Factory(:recruit), :reference)
     answer.should_not be_editable_by(Factory(:mentor), :reference)
@@ -316,6 +316,20 @@ describe Answer do
     end
 
     Answer.wrong_answers_of(recruit).count.should == Answer.wrong_answers_of(recruit).uniq.count
+  end
+
+  it "should prohibit mentor of owner to destroy" do
+    a = Factory(:answer)
+    a.should_not be_destroyable_by(a.owner.mentor)
+  end
 
+  it "should allow editing of reference only to recruiters" do
+    for user in fabricate_users(:recruit, :mentor)
+      Answer.new(:owner => user).should_not be_editable_by(user, :reference)
+    end
+
+    for user in fabricate_users(:recruiter, :administrator)
+      Answer.new(:owner => user).should be_editable_by(user, :reference)
+    end
   end
 end