Add guards on post resources

2022-04-13 12:42:01 -06:00 · 2022-04-13 12:42:01 -06:00 · 9d5a369ff6
commit 9d5a369ff6
parent 76b083a2bd
5 changed files with 50 additions and 11 deletions
--- a/lib/aggiedit/roles.ex
+++ b/lib/aggiedit/roles.ex
@ -0,0 +1,10 @@
+defmodule Aggiedit.Roles do
+  alias Aggiedit.Accounts.User
+  alias Aggiedit.Rooms.Post
+
+  def guard?(user, action, object)
+  def guard?(%User{role: :admin}, _, _), do: true
+  def guard?(%User{room_id: rid}, :show, %Post{room_id: rid}), do: true
+  def guard?(%User{id: id, room_id: rid}, action, %Post{user_id: id, room_id: rid}) when action in [:delete, :edit], do: true
+  def guard?(_, _, _), do: false
+end
--- a/lib/aggiedit_web/live/post_live/index.ex
+++ b/lib/aggiedit_web/live/post_live/index.ex
@ -1,6 +1,7 @@
 defmodule AggieditWeb.PostLive.Index do
  use AggieditWeb, :live_view

+  alias Aggiedit.Roles
  alias Aggiedit.Rooms
  alias Aggiedit.Rooms.Post
  alias Aggiedit.Repo
@ -14,12 +15,24 @@ defmodule AggieditWeb.PostLive.Index do
    end
  end

+  @impl true
+  def handle_params(%{"id" => id}=params, _url, socket) do
+    post = Rooms.get_post!(id)
+    if Roles.guard?(socket.assigns.current_user, socket.assigns.live_action, post) do
+      {:noreply, apply_action(socket, socket.assigns.live_action, params)}
+    else
+      {:noreply, socket |> put_flash(:error, "You do not have permission to edit this post.") |> redirect(to: Routes.post_index_path(socket, :index))}
+    end
+  end
+
  @impl true
  def handle_params(params, _url, socket) do
+    IO.puts(inspect(params))
    {:noreply, apply_action(socket, socket.assigns.live_action, params)}
  end

-  defp apply_action(socket, :edit, %{"id" => id}) do
+
+  defp apply_action(socket, :edit, %{"id" => id}=params) do
    socket
    |> assign(:page_title, "Edit Post")
    |> assign(:post, Rooms.get_post!(id) |> Repo.preload(:upload))
@ -40,9 +53,12 @@ defmodule AggieditWeb.PostLive.Index do
  @impl true
  def handle_event("delete", %{"id" => id}, socket) do
    post = Rooms.get_post!(id)
-    {:ok, _} = Rooms.delete_post(post)
-
-    {:noreply, assign(socket, :posts, list_posts())}
+    if Roles.guard?(socket.assigns.current_user, :delete, post) do
+      Rooms.delete_post(post)
+      {:noreply, socket |> put_flash(:success, "Post deleted.") |> redirect(to: Routes.post_index_path(socket, :index))}
+    else
+      {:noreply, socket |> put_flash(:error, "You do not have permission to delete this post.") |> redirect(to: Routes.post_index_path(socket, :index))}
+    end
  end

  defp list_posts do
--- a/lib/aggiedit_web/live/post_live/show.ex
+++ b/lib/aggiedit_web/live/post_live/show.ex
@ -2,18 +2,30 @@ defmodule AggieditWeb.PostLive.Show do
  use AggieditWeb, :live_view

  alias Aggiedit.Rooms
+  alias Aggiedit.Roles
+  alias Aggiedit.Repo

  @impl true
-  def mount(_params, _session, socket) do
-    {:ok, socket}
+  def mount(_params, session, socket) do
+    socket = assign_socket_user(session, socket)
+    case socket.assigns do
+      %{:current_user => user} -> {:ok, socket}
+      _ -> {:ok, socket |> put_flash(:error, "You must log in to access this page.") |> redirect(to: Routes.user_session_path(socket, :new))}
+    end
  end

  @impl true
  def handle_params(%{"id" => id}, _, socket) do
-    {:noreply,
-     socket
-     |> assign(:page_title, page_title(socket.assigns.live_action))
-     |> assign(:post, Rooms.get_post!(id))}
+    post = Rooms.get_post!(id)
+    |> Repo.preload(:upload)
+    if Roles.guard?(socket.assigns.current_user, socket.assigns.live_action, post) do
+      {:noreply,
+      socket
+      |> assign(:page_title, page_title(socket.assigns.live_action))
+      |> assign(:post, post)}
+    else
+      {:noreply, socket |> put_flash(:error, "You don't have permission to do that.") |> redirect(to: Routes.post_show_path(socket, :index))}
+    end
  end

  defp page_title(:show), do: "Show Post"
--- a/lib/aggiedit_web/live/post_live/show.html.heex
+++ b/lib/aggiedit_web/live/post_live/show.html.heex
@ -5,6 +5,7 @@
    <.live_component
      module={AggieditWeb.PostLive.FormComponent}
      id={@post.id}
+      current_user={@current_user}
      title={@page_title}
      action={@live_action}
      post={@post}
--- a/priv/repo/migrations/20220405071636_create_users_auth_tables.exs
+++ b/priv/repo/migrations/20220405071636_create_users_auth_tables.exs
@ -14,7 +14,7 @@ defmodule Aggiedit.Repo.Migrations.CreateUsersAuthTables do
      timestamps()
    end

-    create unique_index(:users, [:email])
+    create unique_index(:users, [:email, :username])

    create table(:users_tokens) do
      add :user_id, references(:users, on_delete: :delete_all), null: false