Ensure authorisation rules on properties liveviews

2020-09-14 22:12:52 -03:00 · 2020-09-14 22:12:52 -03:00 · 50fdc5f6f3
parent 41d852b06a
commit 50fdc5f6f3
2 changed files with 52 additions and 9 deletions
--- a/lib/real_estate_web/live/property_live/index.ex
+++ b/lib/real_estate_web/live/property_live/index.ex
@ -3,16 +3,29 @@ defmodule RealEstateWeb.PropertyLive.Index do

  alias RealEstate.Properties
  alias RealEstate.Properties.Property
+  alias RealEstateWeb.Roles

  @impl true
  def mount(_params, session, socket) do
    socket = assign_defaults(session, socket)
-    {:ok, assign(socket, :properties, list_properties())}
+    {:ok, assign(socket, :properties, [])}
  end

  @impl true
  def handle_params(params, _url, socket) do
-    {:noreply, apply_action(socket, socket.assigns.live_action, params)}
+    current_user = socket.assigns.current_user
+    live_action = socket.assigns.live_action
+    property = property_from_params(params)
+
+    if Roles.can?(current_user, property, live_action) do
+      socket = assign(socket, :properties, list_properties())
+      {:noreply, apply_action(socket, live_action, params)}
+    else
+      {:noreply,
+       socket
+       |> put_flash(:error, "Unauthorised")
+       |> redirect(to: "/")}
+    end
  end

  defp apply_action(socket, :edit, %{"id" => id}) do
@ -35,12 +48,29 @@ defmodule RealEstateWeb.PropertyLive.Index do

  @impl true
  def handle_event("delete", %{"id" => id}, socket) do
+    current_user = socket.assigns.current_user
    property = Properties.get_property!(id)
-    {:ok, _} = Properties.delete_property(property)

-    {:noreply, assign(socket, :properties, list_properties())}
+    if RealEstateWeb.Roles.can?(current_user, property, :delete) do
+      property = Properties.get_property!(id)
+      {:ok, _} = Properties.delete_property(property)
+
+      {:noreply, assign(socket, :properties, list_properties())}
+    else
+      {:noreply,
+       socket
+       |> put_flash(:error, "Unauthorised")
+       |> redirect(to: "/")}
+    end
  end

+  defp property_from_params(params)
+
+  defp property_from_params(%{"id" => id}),
+    do: Properties.get_property!(id)
+
+  defp property_from_params(_params), do: %Property{}
+
  defp list_properties do
    Properties.list_properties()
  end
--- a/lib/real_estate_web/live/property_live/show.ex
+++ b/lib/real_estate_web/live/property_live/show.ex
@ -2,18 +2,31 @@ defmodule RealEstateWeb.PropertyLive.Show do
  use RealEstateWeb, :live_view

  alias RealEstate.Properties
+  alias RealEstateWeb.Roles

  @impl true
-  def mount(_params, _session, socket) do
+  def mount(_params, session, socket) do
+    socket = assign_defaults(session, socket)
    {:ok, socket}
  end

  @impl true
  def handle_params(%{"id" => id}, _, socket) do
-    {:noreply,
-     socket
-     |> assign(:page_title, page_title(socket.assigns.live_action))
-     |> assign(:property, Properties.get_property!(id))}
+    current_user = socket.assigns.current_user
+    live_action = socket.assigns.live_action
+    property = Properties.get_property!(id)
+
+    if Roles.can?(current_user, property, live_action) do
+      {:noreply,
+       socket
+       |> assign(:property, property)
+       |> assign(:page_title, page_title(live_action))}
+    else
+      {:noreply,
+       socket
+       |> put_flash(:error, "Unauthorised")
+       |> redirect(to: "/")}
+    end
  end

  defp page_title(:show), do: "Show Property"