Medium badge Pundit

Challenge

Only editable by group admins

  • Last updated November 17, 2018 at 9:44 AM by hankish
  • Evidence only visible to badge awarders
Solve this learning challenge by posting a code snippet.
Imagine that you've created a simple democratic voting system in Rails. For the purposes of this challenge there are two models:
  • User Model: This is the basis of the authorization system. Has two boolean methods for 'is_admin?' and 'can_vote?'
  • Vote Mode: Stores a particular vote. The specific fields on this are mostly irrelevant for this challend, except that the vote has a 'voter' relationship which points to the user who voted.
Your challenge is to create a 'vote_policy.rb' file which has methods for each CRUD action as well as an 'index?' method which controls access to the index of all votes.
  • Only voters can create votes.
  • Voters can see only their own votes, admins can see all votes.
  • Votes can only be updated by the voter who created them.
  • Nobody can ever delete a vote, not even admins.
  • Only admins can see the index.
After you've coded the policy, answer the following questions (either in comments in the policy entry itself, or in a separate entry).
  • Question 1) If voters can update their votes, then they can theoretically change the 'voter' field on the vote to be someone else? How might you resolve this flaw in the system?
  • Question 2) A key principle of most democratic systems is that voting should be anonymous. In our system that would mean that, while admins can see and tally the votes, they shouldn't be able to see the `voter` field itself. How might you address this design challenge while trying to work within the object-oriented, policy-based design pattern?