Refactoring Pundit ApplicationPolicy with UserContext

Refs #3140

1 files changed, 20 insertions, 4 deletions

diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 07138b38e..4a2d760fb 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -1,11 +1,21 @@
 class ApplicationPolicy
   attr_reader :user, :record
 
-  def initialize(user, record)
-    @user = user
+  def initialize(user_context, record)
+    @user = user_context.user
+    @referential = user_context.context[:referential]
     @record = record
   end
 
+  attr_accessor :referential
+  def referential
+    @referential ||= record_referential
+  end
+
+  def record_referential
+    record.referential if record.respond_to?(:referential)
+  end
+
   def index?
     false
   end
@@ -38,8 +48,14 @@ class ApplicationPolicy
     Pundit.policy_scope!(user, record.class)
   end
 
-  def organisation_match?(via_referential: false)
-    eval("user.organisation == record#{'.referential' if via_referential}.organisation")
+  def organisation_match?
+    user.organisation == organisation
+  end
+
+  def organisation
+    # When sending permission to react UI, we don't have access to record object for edit & destroy.. actions
+    organisation = record.is_a?(Symbol) ? nil : record.try(:organisation)
+    organisation or referential.try :organisation
   end
 
   class Scope