Add guards on post resources
This commit is contained in:
Logan Hunt
parent
76b083a2bd
commit
9d5a369ff6
GPG Key ID:
52B3774857EB24B1
10
lib/aggiedit/roles.ex
Normal file
10
lib/aggiedit/roles.ex
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
defmodule Aggiedit.Roles do
|
||||||
|
alias Aggiedit.Accounts.User
|
||||||
|
alias Aggiedit.Rooms.Post
|
||||||
|
|
||||||
|
def guard?(user, action, object)
|
||||||
|
def guard?(%User{role: :admin}, _, _), do: true
|
||||||
|
def guard?(%User{room_id: rid}, :show, %Post{room_id: rid}), do: true
|
||||||
|
def guard?(%User{id: id, room_id: rid}, action, %Post{user_id: id, room_id: rid}) when action in [:delete, :edit], do: true
|
||||||
|
def guard?(_, _, _), do: false
|
||||||
|
end
|
||||||
@ -1,6 +1,7 @@
|
|||||||
defmodule AggieditWeb.PostLive.Index do
|
defmodule AggieditWeb.PostLive.Index do
|
||||||
use AggieditWeb, :live_view
|
use AggieditWeb, :live_view
|
||||||
|
|
||||||
|
alias Aggiedit.Roles
|
||||||
alias Aggiedit.Rooms
|
alias Aggiedit.Rooms
|
||||||
alias Aggiedit.Rooms.Post
|
alias Aggiedit.Rooms.Post
|
||||||
alias Aggiedit.Repo
|
alias Aggiedit.Repo
|
||||||
@ -14,12 +15,24 @@ defmodule AggieditWeb.PostLive.Index do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@impl true
|
||||||
|
def handle_params(%{"id" => id}=params, _url, socket) do
|
||||||
|
post = Rooms.get_post!(id)
|
||||||
|
if Roles.guard?(socket.assigns.current_user, socket.assigns.live_action, post) do
|
||||||
|
{:noreply, apply_action(socket, socket.assigns.live_action, params)}
|
||||||
|
else
|
||||||
|
{:noreply, socket |> put_flash(:error, "You do not have permission to edit this post.") |> redirect(to: Routes.post_index_path(socket, :index))}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
@impl true
|
@impl true
|
||||||
def handle_params(params, _url, socket) do
|
def handle_params(params, _url, socket) do
|
||||||
|
IO.puts(inspect(params))
|
||||||
{:noreply, apply_action(socket, socket.assigns.live_action, params)}
|
{:noreply, apply_action(socket, socket.assigns.live_action, params)}
|
||||||
end
|
end
|
||||||
|
|
||||||
defp apply_action(socket, :edit, %{"id" => id}) do
|
|
||||||
|
defp apply_action(socket, :edit, %{"id" => id}=params) do
|
||||||
socket
|
socket
|
||||||
|> assign(:page_title, "Edit Post")
|
|> assign(:page_title, "Edit Post")
|
||||||
|> assign(:post, Rooms.get_post!(id) |> Repo.preload(:upload))
|
|> assign(:post, Rooms.get_post!(id) |> Repo.preload(:upload))
|
||||||
@ -40,9 +53,12 @@ defmodule AggieditWeb.PostLive.Index do
|
|||||||
@impl true
|
@impl true
|
||||||
def handle_event("delete", %{"id" => id}, socket) do
|
def handle_event("delete", %{"id" => id}, socket) do
|
||||||
post = Rooms.get_post!(id)
|
post = Rooms.get_post!(id)
|
||||||
{:ok, _} = Rooms.delete_post(post)
|
if Roles.guard?(socket.assigns.current_user, :delete, post) do
|
||||||
|
Rooms.delete_post(post)
|
||||||
{:noreply, assign(socket, :posts, list_posts())}
|
{:noreply, socket |> put_flash(:success, "Post deleted.") |> redirect(to: Routes.post_index_path(socket, :index))}
|
||||||
|
else
|
||||||
|
{:noreply, socket |> put_flash(:error, "You do not have permission to delete this post.") |> redirect(to: Routes.post_index_path(socket, :index))}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp list_posts do
|
defp list_posts do
|
||||||
|
|||||||
@ -2,18 +2,30 @@ defmodule AggieditWeb.PostLive.Show do
|
|||||||
use AggieditWeb, :live_view
|
use AggieditWeb, :live_view
|
||||||
|
|
||||||
alias Aggiedit.Rooms
|
alias Aggiedit.Rooms
|
||||||
|
alias Aggiedit.Roles
|
||||||
|
alias Aggiedit.Repo
|
||||||
|
|
||||||
@impl true
|
@impl true
|
||||||
def mount(_params, _session, socket) do
|
def mount(_params, session, socket) do
|
||||||
{:ok, socket}
|
socket = assign_socket_user(session, socket)
|
||||||
|
case socket.assigns do
|
||||||
|
%{:current_user => user} -> {:ok, socket}
|
||||||
|
_ -> {:ok, socket |> put_flash(:error, "You must log in to access this page.") |> redirect(to: Routes.user_session_path(socket, :new))}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
@impl true
|
@impl true
|
||||||
def handle_params(%{"id" => id}, _, socket) do
|
def handle_params(%{"id" => id}, _, socket) do
|
||||||
{:noreply,
|
post = Rooms.get_post!(id)
|
||||||
socket
|
|> Repo.preload(:upload)
|
||||||
|> assign(:page_title, page_title(socket.assigns.live_action))
|
if Roles.guard?(socket.assigns.current_user, socket.assigns.live_action, post) do
|
||||||
|> assign(:post, Rooms.get_post!(id))}
|
{:noreply,
|
||||||
|
socket
|
||||||
|
|> assign(:page_title, page_title(socket.assigns.live_action))
|
||||||
|
|> assign(:post, post)}
|
||||||
|
else
|
||||||
|
{:noreply, socket |> put_flash(:error, "You don't have permission to do that.") |> redirect(to: Routes.post_show_path(socket, :index))}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp page_title(:show), do: "Show Post"
|
defp page_title(:show), do: "Show Post"
|
||||||
|
|||||||
@ -5,6 +5,7 @@
|
|||||||
<.live_component
|
<.live_component
|
||||||
module={AggieditWeb.PostLive.FormComponent}
|
module={AggieditWeb.PostLive.FormComponent}
|
||||||
id={@post.id}
|
id={@post.id}
|
||||||
|
current_user={@current_user}
|
||||||
title={@page_title}
|
title={@page_title}
|
||||||
action={@live_action}
|
action={@live_action}
|
||||||
post={@post}
|
post={@post}
|
||||||
|
|||||||
@ -14,7 +14,7 @@ defmodule Aggiedit.Repo.Migrations.CreateUsersAuthTables do
|
|||||||
timestamps()
|
timestamps()
|
||||||
end
|
end
|
||||||
|
|
||||||
create unique_index(:users, [:email])
|
create unique_index(:users, [:email, :username])
|
||||||
|
|
||||||
create table(:users_tokens) do
|
create table(:users_tokens) do
|
||||||
add :user_id, references(:users, on_delete: :delete_all), null: false
|
add :user_id, references(:users, on_delete: :delete_all), null: false
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user