basic access to members management for managers

app/controllers/api/members_controller.rb

@@ -222,7 +222,7 @@ class API::MembersController < API::ApiController
                                    ],
                                    statistic_profile_attributes: %i[id gender birthday])
 
-    elsif current_user.admin?
+    elsif current_user.admin? || current_user.manager?
       params.require(:user).permit(:username, :email, :password, :password_confirmation, :is_allow_contact, :is_allow_newsletter, :group_id,
                                    tag_ids: [],
                                    profile_attributes: [:id, :first_name, :last_name, :phone, :interest, :software_mastered, :website, :job,

app/controllers/api/users_controller.rb

@@ -6,7 +6,9 @@ class API::UsersController < API::ApiController
   before_action :set_user, only: %i[destroy]
 
   def index
-    if current_user.admin? && %w[partner manager].include?(params[:role])
+    authorize User
+
+    if %w[partner manager].include?(params[:role])
       @users = User.with_role(params[:role].to_sym).includes(:profile)
     else
       head 403

app/policies/admin_policy.rb

@@ -1,6 +1,6 @@
 class AdminPolicy < ApplicationPolicy
   def index?
-    user.admin?
+    user.admin? || user.manager?
   end
 
   def create?

app/policies/availability_policy.rb

@@ -2,9 +2,13 @@
 
 # Check the access policies for API::AvailabilitiesController
 class AvailabilityPolicy < ApplicationPolicy
-  %w[index? show? create? update? destroy? reservations? export? lock?].each do |action|
+  %w[index? show? create? update? destroy? reservations? lock?].each do |action|
     define_method action do
       user.admin? || user.manager?
     end
   end
+
+  def export?
+    user.admin?
+  end
 end

app/policies/user_policy.rb

@@ -16,26 +16,30 @@ class UserPolicy < ApplicationPolicy
   end
 
   def show?
-    user.admin? || (record.is_allow_contact && record.member?) || (user.id == record.id)
+    user.admin? || user.manager? || (record.is_allow_contact && record.member?) || (user.id == record.id)
   end
 
   def update?
-    user.admin? || (user.id == record.id)
+    user.admin? || user.manager? || (user.id == record.id)
   end
 
   def destroy?
     user.admin? || (user.id == record.id)
   end
 
-  def merge?
-    user.id == record.id
+  %w[merge complete_tour].each do |action|
+    define_method "#{action}?" do
+      user.id == record.id
+    end
   end
 
-  def complete_tour?
-    user.id == record.id
+  %w[list index].each do |action|
+    define_method "#{action}?" do
+      user.admin? || user.manager?
+    end
   end
 
-  %w[list create mapping].each do |action|
+  %w[create mapping].each do |action|
     define_method "#{action}?" do
       user.admin?
     end

app/policies/wallet_policy.rb

@@ -2,12 +2,10 @@
 
 # Check the access policies for API::WalletController
 class WalletPolicy < ApplicationPolicy
-  def by_user?
-    user.admin? || user.manager? || user == record.user
-  end
-
-  def transactions?
-    user.admin? || user == record.user
+  %w[by_user transactions].each do |action|
+    define_method "#{action}?" do
+      user.admin? || user.manager? || user == record.user
+    end
   end
 
   def credit?