add tag index policies

app/controllers/application_controller.rb

@@ -14,7 +14,9 @@ class ApplicationController < ActionController::Base
     flash[:alert] = exception.message.presence || "You are not authorized to perform this action."
     redirect_back_or_to root_path
   end
-
+  def default_authorization_policy_class
+    ApplicationPolicy
+  end
   private
 
   def after_sign_in_path_for(resource)

app/controllers/tags_controller.rb

@@ -1,12 +1,15 @@
 class TagsController < ApplicationController
   def index
+    authorize!
   end
 
   def sectors
+    authorize! Sector, to: :tags_index?
     @sectors = Sector.published.order(:name)
   end
 
   def categories
+    authorize! Category, to: :tags_index?
     @categories_by_type = Category
       .published
       .joins(:category_type)

app/policies/application_policy.rb

@@ -10,6 +10,7 @@ class ApplicationPolicy < ActionPolicy::Base
   authorize :user, optional: true, allow_nil: true
   pre_check :verify_authenticated!
 
+  default_rule :manage?
   alias_rule :new?, :create?, :edit?, :update?, :destroy?, to: :manage?
 
   def manage?

app/policies/category_policy.rb

@@ -0,0 +1,9 @@
+class CategoryPolicy < ApplicationPolicy
+  # See https://actionpolicy.evilmartians.io/#/writing_policies
+  #
+  # override or add new rules here that are not defined in ApplicationPolicy
+
+  def tags_index?
+    true
+  end
+end

app/policies/sector_policy.rb

@@ -0,0 +1,9 @@
+class SectorPolicy < ApplicationPolicy
+  # See https://actionpolicy.evilmartians.io/#/writing_policies
+  #
+  # override or add new rules here that are not defined in ApplicationPolicy
+
+  def tags_index?
+    true
+  end
+end

spec/policies/category_policy_spec.rb

@@ -0,0 +1,30 @@
+require "rails_helper"
+
+RSpec.describe CategoryPolicy, type: :policy do
+  let(:admin_user) { build_stubbed :user, super_user: true }
+  let(:regular_user) { build_stubbed :user, super_user: false }
+
+  def policy_for(record: nil, user:)
+    described_class.new(record, user: user)
+  end
+
+  describe "#tags_index?" do
+    context "with admin user" do
+      subject { policy_for(user: admin_user) }
+
+      it { is_expected.to be_allowed_to(:tags_index?) }
+    end
+
+    context "with regular user" do
+      subject { policy_for(user: regular_user) }
+
+      it { is_expected.to be_allowed_to(:tags_index?) }
+    end
+
+    context "with no user" do
+      subject { policy_for(user: nil) }
+
+      it { is_expected.not_to be_allowed_to(:tags_index?) }
+    end
+  end
+end

spec/policies/sector_policy_spec.rb

@@ -0,0 +1,30 @@
+require "rails_helper"
+
+RSpec.describe SectorPolicy, type: :policy do
+  let(:admin_user) { build_stubbed :user, super_user: true }
+  let(:regular_user) { build_stubbed :user, super_user: false }
+
+  def policy_for(record: nil, user:)
+    described_class.new(record, user: user)
+  end
+
+  describe "#tags_index?" do
+    context "with admin user" do
+      subject { policy_for(user: admin_user) }
+
+      it { is_expected.to be_allowed_to(:tags_index?) }
+    end
+
+    context "with regular user" do
+      subject { policy_for(user: regular_user) }
+
+      it { is_expected.to be_allowed_to(:tags_index?) }
+    end
+
+    context "with no user" do
+      subject { policy_for(user: nil) }
+
+      it { is_expected.not_to be_allowed_to(:tags_index?) }
+    end
+  end
+end

spec/requests/tags_spec.rb

@@ -10,6 +10,13 @@
 
     before { sign_in user }
 
+    it "checks authorization via ApplicationPolicy" do
+      expect_any_instance_of(ApplicationPolicy)
+        .to receive(:index?).and_call_original
+
+      get tags_path
+    end
+
     it "renders Service Populations and Categories skeleton" do
       get tags_path
       expect(response).to have_http_status(:ok)