From 50fdc5f6f3012ecfdda462d18885e2b840bbfdce Mon Sep 17 00:00:00 2001 From: Joao Gilberto Balsini Moura Date: Mon, 14 Sep 2020 22:12:52 -0300 Subject: [PATCH] Ensure authorisation rules on properties liveviews --- .../live/property_live/index.ex | 38 +++++++++++++++++-- .../live/property_live/show.ex | 23 ++++++++--- 2 files changed, 52 insertions(+), 9 deletions(-) diff --git a/lib/real_estate_web/live/property_live/index.ex b/lib/real_estate_web/live/property_live/index.ex index 2fddfa7..3214ab3 100644 --- a/lib/real_estate_web/live/property_live/index.ex +++ b/lib/real_estate_web/live/property_live/index.ex @@ -3,16 +3,29 @@ defmodule RealEstateWeb.PropertyLive.Index do alias RealEstate.Properties alias RealEstate.Properties.Property + alias RealEstateWeb.Roles @impl true def mount(_params, session, socket) do socket = assign_defaults(session, socket) - {:ok, assign(socket, :properties, list_properties())} + {:ok, assign(socket, :properties, [])} end @impl true def handle_params(params, _url, socket) do - {:noreply, apply_action(socket, socket.assigns.live_action, params)} + current_user = socket.assigns.current_user + live_action = socket.assigns.live_action + property = property_from_params(params) + + if Roles.can?(current_user, property, live_action) do + socket = assign(socket, :properties, list_properties()) + {:noreply, apply_action(socket, live_action, params)} + else + {:noreply, + socket + |> put_flash(:error, "Unauthorised") + |> redirect(to: "/")} + end end defp apply_action(socket, :edit, %{"id" => id}) do @@ -35,12 +48,29 @@ defmodule RealEstateWeb.PropertyLive.Index do @impl true def handle_event("delete", %{"id" => id}, socket) do + current_user = socket.assigns.current_user property = Properties.get_property!(id) - {:ok, _} = Properties.delete_property(property) - {:noreply, assign(socket, :properties, list_properties())} + if RealEstateWeb.Roles.can?(current_user, property, :delete) do + property = Properties.get_property!(id) + {:ok, _} = Properties.delete_property(property) + + {:noreply, assign(socket, :properties, list_properties())} + else + {:noreply, + socket + |> put_flash(:error, "Unauthorised") + |> redirect(to: "/")} + end end + defp property_from_params(params) + + defp property_from_params(%{"id" => id}), + do: Properties.get_property!(id) + + defp property_from_params(_params), do: %Property{} + defp list_properties do Properties.list_properties() end diff --git a/lib/real_estate_web/live/property_live/show.ex b/lib/real_estate_web/live/property_live/show.ex index e044c1a..3893833 100644 --- a/lib/real_estate_web/live/property_live/show.ex +++ b/lib/real_estate_web/live/property_live/show.ex @@ -2,18 +2,31 @@ defmodule RealEstateWeb.PropertyLive.Show do use RealEstateWeb, :live_view alias RealEstate.Properties + alias RealEstateWeb.Roles @impl true - def mount(_params, _session, socket) do + def mount(_params, session, socket) do + socket = assign_defaults(session, socket) {:ok, socket} end @impl true def handle_params(%{"id" => id}, _, socket) do - {:noreply, - socket - |> assign(:page_title, page_title(socket.assigns.live_action)) - |> assign(:property, Properties.get_property!(id))} + current_user = socket.assigns.current_user + live_action = socket.assigns.live_action + property = Properties.get_property!(id) + + if Roles.can?(current_user, property, live_action) do + {:noreply, + socket + |> assign(:property, property) + |> assign(:page_title, page_title(live_action))} + else + {:noreply, + socket + |> put_flash(:error, "Unauthorised") + |> redirect(to: "/")} + end end defp page_title(:show), do: "Show Property"