glossary policy and specs, glossary changed to inherit app controllers

app/controllers/glossary_controller.rb

@@ -1,6 +1,6 @@
-class GlossaryController < PublicController
-  include NotUsingPunditYet
-
+class GlossaryController < ApplicationController
+  skip_before_action :authenticate_user!, only: [:show]
+  before_action :authorize_glossary
   before_action :set_system_settings
 
   def show; end
@@ -13,6 +13,10 @@ def update
 
   private
 
+  def authorize_glossary
+    authorize :glossary
+  end
+
   def glossary_params
     params.require(:system_setting).permit(:glossary_content)
   end

app/policies/glossary_policy.rb

@@ -0,0 +1,9 @@
+class GlossaryPolicy < ApplicationPolicy
+  def read?
+    true
+  end 
+
+  def change?
+    acting_user && (acting_user.admin_role? || acting_user.sys_admin_role? )
+  end
+end

app/views/glossary/show.html.erb

@@ -1,4 +1,6 @@
 <%= render partial: 'glossary/header' %>
-<%= link_to "Edit Glossary", edit_glossary_path, class: "btn" %>
+<% if policy(:glossary).change? %>
+  <%= link_to "Edit Glossary", edit_glossary_path, class: "btn" %>
+<% end %>
 <hr>
 <%= @system_settings.glossary_content %>

spec/policies/glossary_policy_spec.rb

@@ -0,0 +1,29 @@
+require 'rails_helper'
+
+RSpec.describe GlossaryPolicy do
+  subject { GlossaryPolicy.new(user, :glossary) }
+
+  context "user can edit glossary if they are" do
+    context "an admin" do
+      let(:user) { build(:user, :admin) }
+      it { is_expected.to permit_action(:update) }
+    end
+
+    context "a sys_admin" do
+      let(:user) { build(:user, :sys_admin) }
+      it { is_expected.to permit_action(:update) }
+    end
+  end
+
+  context "user cannot edit glossary if they are" do
+    context "a neighbor" do
+      let(:user) { build(:user, :neighbor) }
+      it { is_expected.not_to permit_action(:update) }
+    end
+
+    context "not logged in" do
+      let(:user) { nil }
+      it { is_expected.not_to permit_action(:update) }
+    end
+  end
+end

spec/requests/glossary_spec.rb

@@ -3,10 +3,6 @@
 describe '/glossary', type: :request do
   let!(:system_setting) { FactoryBot.create :system_setting, glossary_content: 'Original text' }
 
-  before do
-    sign_in create(:user, :admin)
-  end
-
   describe 'GET /glossary' do
     it 'renders a successful response with the current content' do
       get glossary_url
@@ -15,21 +11,27 @@
     end
   end
 
-  describe 'GET /glossary/edit' do
-    it 'renders a successful response with the current content' do
-      get edit_glossary_url
-      expect(response).to be_successful
-      expect(response.body).to include 'Original text'
+  context "when user is signed in" do
+    before do
+      sign_in create(:user, :admin)
+    end
+
+    describe 'GET /glossary/edit' do
+      it 'renders a successful response with the current content' do
+        get edit_glossary_url
+        expect(response).to be_successful
+        expect(response.body).to include 'Original text'
+      end
     end
-  end
 
-  describe 'PATCH /glossary' do
-    let(:new_html) { "<b>Word</b>: Definition" }
+    describe 'PATCH /glossary' do
+      let(:new_html) { "<b>Word</b>: Definition" }
 
-    it 'updates glossary_content of the system_setting object' do
-      patch glossary_url, params: { system_setting: { glossary_content: new_html } }
-      expect(response.status).to eq 302
-      expect(system_setting.reload.glossary_content.to_s).to include new_html
+      it 'updates glossary_content of the system_setting object' do
+        patch glossary_url, params: { system_setting: { glossary_content: new_html } }
+        expect(response.status).to eq 302
+        expect(system_setting.reload.glossary_content.to_s).to include new_html
+      end
     end
   end
 end