only allow admins to create users

backend/app/policies/user_policy.rb

@@ -1,10 +1,7 @@
 # frozen_string_literal: true
 
 class UserPolicy < ApplicationPolicy
-  attr_reader :user, :record
-
   def create?
-    # Need to fix authentication issues across all endpoints
-    true
+    user&.admin?
   end
 end

backend/spec/requests/admin/users_spec.rb

@@ -3,6 +3,12 @@
 require 'rails_helper'
 
 RSpec.describe '/admin/users', type: :request do
+  include Devise::Test::IntegrationHelpers
+
+  let(:admin) do
+    User.create(email: '[email protected]', password: 'password', role: :admin)
+  end
+
   describe 'POST /create' do
     context 'with valid parameters for a surveyor' do
       let(:valid_attributes) do
@@ -21,6 +27,8 @@
         }
       end
 
+      before { sign_in admin }
+
       it 'creates a new user who is a surveyor' do
         expect do
           post admin_users_url, params: { user: valid_attributes }, as: :json
@@ -55,6 +63,8 @@
         }
       end
 
+      before { sign_in admin }
+
       it 'creates a new user who is an admin' do
         expect do
           post admin_users_url, params: { user: valid_attributes }, as: :json
@@ -79,6 +89,8 @@
         }
       end
 
+      before { sign_in admin }
+
       it 'does not create a new user' do
         expect do
           post admin_users_url, params: { user: invalid_attributes }, as: :json
@@ -93,5 +105,20 @@
         expect(error_message).to eq("can't be blank")
       end
     end
+
+    context 'as unauthorized user' do
+      let(:valid_attributes) do
+        {
+          email: '[email protected]',
+          role: 'admin'
+        }
+      end
+
+      it 'raises an error' do
+        expect do
+          post admin_users_url, params: { user: valid_attributes }, as: :json
+        end.to raise_error(Pundit::NotAuthorizedError)
+      end
+    end
   end
 end