Introduce a UserAccess model

app/models/access.rb

@@ -1,9 +1,5 @@
 class Access < ApplicationRecord
   ALLOWED_RESOURCES = %w[Organization FacilityGroup Facility].freeze
-  ACTION_TO_USER_ROLE = {
-    view: User.access_levels.fetch_values(:manager, :viewer),
-    manage: User.access_levels.fetch_values(:manager)
-  }
 
   belongs_to :user
   belongs_to :resource, polymorphic: true
@@ -13,55 +9,6 @@ class Access < ApplicationRecord
   validates :resource, presence: true
   validate :user_is_not_a_power_user, if: -> { user.present? }
 
-  class << self
-    def organizations(action)
-      resources_for(Organization, action)
-    end
-
-    def facility_groups(action)
-      resources_for(FacilityGroup, action)
-        .or(FacilityGroup.where(organization: organizations(action)))
-    end
-
-    def facilities(action)
-      resources_for(Facility, action)
-        .or(Facility.where(facility_group: facility_groups(action)))
-    end
-
-    def can?(action, model, record = nil)
-      if record&.is_a? ActiveRecord::Relation
-        raise ArgumentError, "record should not be an ActiveRecord::Relation."
-      end
-
-      case model
-        when :facility
-          can_access_record?(facilities(action), record)
-        when :organization
-          can_access_record?(organizations(action), record)
-        when :facility_group
-          can_access_record?(facility_groups(action), record)
-        else
-          raise ArgumentError, "Access to #{model} is unsupported."
-      end
-    end
-
-    private
-
-    def can_access_record?(resources, record)
-      return resources.find_by_id(record).present? if record
-      resources.exists?
-    end
-
-    def resources_for(resource_model, action)
-      resource_ids =
-        where(resource_type: resource_model.to_s)
-          .select { |access| access.user.access_level.in?(ACTION_TO_USER_ROLE[action]) }
-          .map(&:resource_id)
-
-      resource_model.where(id: resource_ids)
-    end
-  end
-
   private
 
   def user_is_not_a_power_user

app/models/user.rb

@@ -11,11 +11,7 @@ class User < ApplicationRecord
     allowed: "allowed",
     denied: "denied"
   }, _prefix: true
-  enum access_level: {
-    viewer: "viewer",
-    manager: "manager",
-    power_user: "power_user"
-  }, _suffix: :access
+  enum access_level: UserAccess::LEVELS.map { |level, meta| [level, meta[:id].to_s] }.to_h, _suffix: :access
 
   belongs_to :organization, optional: true
   has_many :user_authentications
@@ -77,6 +73,13 @@ class User < ApplicationRecord
     :password,
     :authenticatable_salt,
     :invited_to_sign_up?, to: :email_authentication, allow_nil: true
+  delegate :accessible_organizations,
+    :accessible_facilities,
+    :accessible_facility_groups,
+    :can?,
+    :grant_access,
+    :access_tree,
+    :permitted_access_levels, to: :user_access, allow_nil: false
 
   after_destroy :destroy_email_authentications
 
@@ -88,6 +91,10 @@ def email_authentication
     email_authentications.first
   end
 
+  def user_access
+    UserAccess.new(self)
+  end
+
   def registration_facility_id
     registration_facility.id
   end
@@ -184,31 +191,6 @@ def resources
     user_permissions.map(&:resource)
   end
 
-  # #########################
-  # User Access (permissions)
-  #
-  def accessible_organizations(action)
-    return Organization.all if power_user?
-    accesses.organizations(action)
-  end
-
-  def accessible_facility_groups(action)
-    return FacilityGroup.all if power_user?
-    accesses.facility_groups(action)
-  end
-
-  def accessible_facilities(action)
-    return Facility.all if power_user?
-    accesses.facilities(action)
-  end
-
-  def can?(action, model, record = nil)
-    return true if power_user?
-    accesses.can?(action, model, record)
-  end
-  #
-  # #########################
-
   def destroy_email_authentications
     destroyable_email_auths = email_authentications.load
 

app/models/user_access.rb

@@ -0,0 +1,82 @@
+class UserAccess < Struct.new(:user)
+  class NotAuthorizedError < StandardError; end
+
+  LEVELS = {
+    viewer: {
+      id: :viewer,
+      name: "View: Everything",
+      grant_access: [],
+      description: "Can view stuff"
+    },
+
+    manager: {
+      id: :manager,
+      name: "Manager",
+      grant_access: [:viewer, :manager],
+      description: "Can manage stuff"
+    },
+
+    power_user: {
+      id: :power_user,
+      name: "Power User",
+      description: "Can manage everything"
+    }
+  }.freeze
+
+  ACTION_TO_LEVEL = {
+    view: [:manager, :viewer],
+    manage: [:manager]
+  }.freeze
+
+  def accessible_organizations(action)
+    resources_for(Organization, action)
+  end
+
+  def accessible_facility_groups(action)
+    resources_for(FacilityGroup, action)
+      .or(FacilityGroup.where(organization: accessible_organizations(action)))
+  end
+
+  def accessible_facilities(action)
+    resources_for(Facility, action)
+      .or(Facility.where(facility_group: accessible_facility_groups(action)))
+  end
+
+  def can?(action, model, record = nil)
+    if record&.is_a? ActiveRecord::Relation
+      raise ArgumentError, "record should not be an ActiveRecord::Relation."
+    end
+
+    case model
+      when :facility
+        can_access_record?(accessible_facilities(action), record)
+      when :organization
+        can_access_record?(accessible_organizations(action), record)
+      when :facility_group
+        can_access_record?(accessible_facility_groups(action), record)
+      else
+        raise ArgumentError, "Access to #{model} is unsupported."
+    end
+  end
+
+  private
+
+  def can_access_record?(resources, record)
+    return true if user.power_user?
+    return resources.find_by_id(record).present? if record
+    resources.exists?
+  end
+
+  def resources_for(resource_model, action)
+    return resource_model.all if user.power_user?
+    return resource_model.none unless ACTION_TO_LEVEL.fetch(action).include?(user.access_level.to_sym)
+
+    resource_ids =
+      user
+        .accesses
+        .where(resource_type: resource_model.to_s)
+        .map(&:resource_id)
+
+    resource_model.where(id: resource_ids)
+  end
+end