Ensure authorisation rules on properties liveviews

This commit is contained in:
Joao Gilberto Balsini Moura 2020-09-14 22:12:52 -03:00
parent 41d852b06a
commit 50fdc5f6f3
2 changed files with 52 additions and 9 deletions

View file

@ -3,16 +3,29 @@ defmodule RealEstateWeb.PropertyLive.Index do
alias RealEstate.Properties alias RealEstate.Properties
alias RealEstate.Properties.Property alias RealEstate.Properties.Property
alias RealEstateWeb.Roles
@impl true @impl true
def mount(_params, session, socket) do def mount(_params, session, socket) do
socket = assign_defaults(session, socket) socket = assign_defaults(session, socket)
{:ok, assign(socket, :properties, list_properties())} {:ok, assign(socket, :properties, [])}
end end
@impl true @impl true
def handle_params(params, _url, socket) do def handle_params(params, _url, socket) do
{:noreply, apply_action(socket, socket.assigns.live_action, params)} current_user = socket.assigns.current_user
live_action = socket.assigns.live_action
property = property_from_params(params)
if Roles.can?(current_user, property, live_action) do
socket = assign(socket, :properties, list_properties())
{:noreply, apply_action(socket, live_action, params)}
else
{:noreply,
socket
|> put_flash(:error, "Unauthorised")
|> redirect(to: "/")}
end
end end
defp apply_action(socket, :edit, %{"id" => id}) do defp apply_action(socket, :edit, %{"id" => id}) do
@ -35,11 +48,28 @@ defmodule RealEstateWeb.PropertyLive.Index do
@impl true @impl true
def handle_event("delete", %{"id" => id}, socket) do def handle_event("delete", %{"id" => id}, socket) do
current_user = socket.assigns.current_user
property = Properties.get_property!(id)
if RealEstateWeb.Roles.can?(current_user, property, :delete) do
property = Properties.get_property!(id) property = Properties.get_property!(id)
{:ok, _} = Properties.delete_property(property) {:ok, _} = Properties.delete_property(property)
{:noreply, assign(socket, :properties, list_properties())} {:noreply, assign(socket, :properties, list_properties())}
else
{:noreply,
socket
|> put_flash(:error, "Unauthorised")
|> redirect(to: "/")}
end end
end
defp property_from_params(params)
defp property_from_params(%{"id" => id}),
do: Properties.get_property!(id)
defp property_from_params(_params), do: %Property{}
defp list_properties do defp list_properties do
Properties.list_properties() Properties.list_properties()

View file

@ -2,18 +2,31 @@ defmodule RealEstateWeb.PropertyLive.Show do
use RealEstateWeb, :live_view use RealEstateWeb, :live_view
alias RealEstate.Properties alias RealEstate.Properties
alias RealEstateWeb.Roles
@impl true @impl true
def mount(_params, _session, socket) do def mount(_params, session, socket) do
socket = assign_defaults(session, socket)
{:ok, socket} {:ok, socket}
end end
@impl true @impl true
def handle_params(%{"id" => id}, _, socket) do def handle_params(%{"id" => id}, _, socket) do
current_user = socket.assigns.current_user
live_action = socket.assigns.live_action
property = Properties.get_property!(id)
if Roles.can?(current_user, property, live_action) do
{:noreply, {:noreply,
socket socket
|> assign(:page_title, page_title(socket.assigns.live_action)) |> assign(:property, property)
|> assign(:property, Properties.get_property!(id))} |> assign(:page_title, page_title(live_action))}
else
{:noreply,
socket
|> put_flash(:error, "Unauthorised")
|> redirect(to: "/")}
end
end end
defp page_title(:show), do: "Show Property" defp page_title(:show), do: "Show Property"