DFE-Digital · thomasleese · Nov 29, 2023
@@ -2,12 +2,12 @@
 
 module AssessorInterface
   class ReferenceRequestsController < BaseController
-    before_action :authorize_assessor, except: %i[edit update_verify_references]
-
     before_action :set_list_variables, only: %i[index update_verify_references]
     before_action :set_individual_variables, only: %i[edit update]
 
     def index
+      authorize %i[assessor_interface reference_request]
+
       @form =
         VerifyReferencesForm.new(
           assessment:,
@@ -18,7 +18,7 @@ def index
     end
 
     def update_verify_references
-      authorize :assessor, :update?
+      authorize %i[assessor_interface reference_request], :update?
 
       @form =
         VerifyReferencesForm.new(assessment:, **verify_references_form_params)
@@ -31,12 +31,14 @@ def update_verify_references
     end
 
     def edit
-      authorize :assessor, :show?
+      authorize [:assessor_interface, requestable]
 
       @form = RequestableReviewForm.new(requestable:)
     end
 
     def update
+      authorize [:assessor_interface, requestable]
+
       @form =
         RequestableReviewForm.new(
           requestable:,

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class AssessorInterface::ReferenceRequestPolicy < ApplicationPolicy
+  def index?
+    user.assess_permission || user.verify_permission
+  end
+
+  def edit?
+    user.assess_permission || user.verify_permission ||
+      user.change_work_history_permission
+  end
+
+  def update?
+    user.assess_permission || user.verify_permission
+  end
+end
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe AssessorInterface::ReferenceRequestPolicy do
+  it_behaves_like "a policy"
+
+  let(:user) { nil }
+  let(:record) { nil }
+
+  subject(:policy) { described_class.new(user, record) }
+
+  describe "#index?" do
+    subject(:index?) { policy.index? }
+    it_behaves_like "a policy method requiring the assess permission"
+    it_behaves_like "a policy method requiring the verify permission"
+  end
+
+  describe "#show?" do
+    subject(:show?) { policy.show? }
+
+    let(:user) { create(:staff, :confirmed) }
+    it { is_expected.to be false }
+  end
+
+  describe "#create?" do
+    subject(:create?) { policy.create? }
+
+    let(:user) { create(:staff, :confirmed) }
+    it { is_expected.to be false }
+  end
+
+  describe "#new?" do
+    subject(:new?) { policy.new? }
+
+    let(:user) { create(:staff, :confirmed) }
+    it { is_expected.to be false }
+  end
+
+  describe "#update?" do
+    subject(:update?) { policy.update? }
+    it_behaves_like "a policy method requiring the assess permission"
+    it_behaves_like "a policy method requiring the verify permission"
+  end
+
+  describe "#edit?" do
+    subject(:edit?) { policy.edit? }
+    it_behaves_like "a policy method requiring the assess permission"
+    it_behaves_like "a policy method requiring the change work history permission"
+    it_behaves_like "a policy method requiring the verify permission"
+  end
+
+  describe "#destroy?" do
+    subject(:destroy?) { policy.destroy? }
+
+    let(:user) { create(:staff, :confirmed) }
+    it { is_expected.to be false }
+  end
+end
@@ -40,12 +40,12 @@
 
   describe "#update?" do
     subject(:update?) { policy.update? }
-    it_behaves_like "a policy method requiring change the work history permission"
+    it_behaves_like "a policy method requiring the change work history permission"
   end
 
   describe "#edit?" do
     subject(:edit?) { policy.edit? }
-    it_behaves_like "a policy method requiring change the work history permission"
+    it_behaves_like "a policy method requiring the change work history permission"
   end
 
   describe "#destroy?" do

@@ -40,7 +40,7 @@
   end
 end
 
-RSpec.shared_examples "a policy method requiring change the work history permission" do
+RSpec.shared_examples "a policy method requiring the change work history permission" do
   context "without permission" do
     let(:user) { create(:staff) }
     it { is_expected.to be false }