Seperate pundit policies for "normal" use and admin use

They were getting too confusing and it was mixing up unrelated concerns too much before.

app/controllers/admin/application_controller.rb

@@ -20,6 +20,11 @@ def authenticate_admin
       render plain: "Not authorised", status: :forbidden unless T.must(current_user).has_role?(:admin)
     end
 
+    sig { returns(T::Array[Symbol]) }
+    def policy_namespace
+      [:admin]
+    end
+
     # Override this value to specify the number of elements to display at a time
     # on index pages. Defaults to 20.
     # def records_per_page

app/policies/admin/alert_policy.rb

@@ -0,0 +1,35 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class AlertPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def show?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def update?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def destroy?
+      user.has_role?(:admin)
+    end
+
+    class Scope < ApplicationPolicy::Scope
+      sig { returns(ActiveRecord::Relation) }
+      def resolve
+        user.has_role?(:admin) ? scope.all : scope.none
+      end
+    end
+  end
+end

app/policies/admin/api_key_policy.rb

@@ -0,0 +1,35 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class ApiKeyPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def show?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def update?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def create?
+      user.has_role?(:admin)
+    end
+
+    class Scope < ApplicationPolicy::Scope
+      sig { returns(ActiveRecord::Relation) }
+      def resolve
+        user.has_role?(:admin) ? scope.all : scope.none
+      end
+    end
+  end
+end

app/policies/admin/api_usages_policy.rb

@@ -0,0 +1,13 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class ApiUsagesPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+  end
+end

app/policies/admin/applications_policy.rb

@@ -0,0 +1,30 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class ApplicationsPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def show?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def destroy?
+      user.has_role?(:admin)
+    end
+
+    class Scope < ApplicationPolicy::Scope
+      sig { returns(ActiveRecord::Relation) }
+      def resolve
+        user.has_role?(:admin) ? scope.all : scope.none
+      end
+    end
+  end
+end

app/policies/admin/authority_policy.rb

@@ -0,0 +1,40 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class AuthorityPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def create?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def show?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def update?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def import?
+      user.has_role?(:admin)
+    end
+
+    class Scope < ApplicationPolicy::Scope
+      sig { returns(ActiveRecord::Relation) }
+      def resolve
+        user.has_role?(:admin) ? scope.all : scope.none
+      end
+    end
+  end
+end

app/policies/admin/background_jobs_policy.rb

@@ -0,0 +1,13 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class BackgroundJobsPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+  end
+end

app/policies/admin/comment_policy.rb

@@ -0,0 +1,35 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class CommentPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def show?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def update?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def resend?
+      user.has_role?(:admin)
+    end
+
+    class Scope < ApplicationPolicy::Scope
+      sig { returns(ActiveRecord::Relation) }
+      def resolve
+        user.has_role?(:admin) ? scope.all : scope.none
+      end
+    end
+  end
+end

app/policies/admin/report_policy.rb

@@ -0,0 +1,30 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class ReportPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def show?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def destroy?
+      user.has_role?(:admin)
+    end
+
+    class Scope < ApplicationPolicy::Scope
+      sig { returns(ActiveRecord::Relation) }
+      def resolve
+        user.has_role?(:admin) ? scope.all : scope.none
+      end
+    end
+  end
+end

app/policies/admin/role_policy.rb

@@ -0,0 +1,25 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class RolePolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def show?
+      user.has_role?(:admin)
+    end
+
+    class Scope < ApplicationPolicy::Scope
+      sig { returns(ActiveRecord::Relation) }
+      def resolve
+        user.has_role?(:admin) ? scope.all : scope.none
+      end
+    end
+  end
+end

app/policies/admin/test_emails_policy.rb

@@ -0,0 +1,18 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class TestEmailsPolicy < ApplicationPolicy
+    extend T::Sig
+
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def create?
+      user.has_role?(:admin)
+    end
+  end
+end

app/policies/admin/user_policy.rb

@@ -0,0 +1,36 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Admin
+  class UserPolicy < ApplicationPolicy
+    extend T::Sig
+
+    # TODO: Extract this into a DefaultAdminPolicy
+    sig { returns(T::Boolean) }
+    def index?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def show?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def update?
+      user.has_role?(:admin)
+    end
+
+    sig { returns(T::Boolean) }
+    def destroy?
+      user.has_role?(:admin)
+    end
+
+    class Scope < ApplicationPolicy::Scope
+      sig { returns(ActiveRecord::Relation) }
+      def resolve
+        user.has_role?(:admin) ? scope.all : scope.none
+      end
+    end
+  end
+end

app/policies/alert_policy.rb

@@ -19,24 +19,14 @@ def initialize(user, alert)
     @alert = alert
   end
 
-  sig { returns(T::Boolean) }
-  def index?
-    user.has_role?(:admin)
-  end
-
-  sig { returns(T::Boolean) }
-  def show?
-    user.has_role?(:admin)
-  end
-
   sig { returns(T::Boolean) }
   def create?
     true
   end
 
   sig { returns(T::Boolean) }
   def update?
-    (alert.user_id == user.id && !alert.unsubscribed?) || user.has_role?(:admin)
+    alert.user_id == user.id && !alert.unsubscribed?
   end
 
   sig { returns(T::Boolean) }
@@ -47,12 +37,8 @@ def destroy?
   class Scope < ApplicationPolicy::Scope
     sig { returns(ActiveRecord::Relation) }
     def resolve
-      if user.has_role?(:admin)
-        scope.all
-      else
-        # User can only see their own active alerts
-        scope.where(user:).active
-      end
+      # User can only see their own active alerts
+      scope.where(user:).active
     end
   end
 end