I’ve been working on a Phoenix 1.3 app and would like your advice on whether the kind of code displayed below is going in the right direction or instead has major design flaws. In particular, is there work that should be offloaded to a plug?? I’m using a home-grown authentication system in which a registered user can present email and password and receive a JWT token which is needed to access all routes except /public/documents
– and of course the one used to obtain the token.
I’d like to express my continuing thanks to all in this forum … your specific help and general advice is invaluable … couldn’t work without it
Two typical controller actions:
def show(conn, %{"id" => id}) do
document = DocManager.get_document!(id)
# {:ok, user_id} returned if token is valid and carries the user_id,
# otherwise {:error, "note authorized" } is returned.
# Users are allowed to read their own docs and public docs
with {:ok, user_id} <- Token.user_id_from_header(conn),
true <- ((document.attributes["public"] == true) || (user_id == document.author_id))
do
render(conn, "show.json", document: document)
else
{:error, error} -> {:error, error}
end
end
def show_public(conn, %{"id" => id}) do
document = DocManager.get_document!(id)
if document.attributes["public"] == true do
render(conn, "show.json", document: document)
else
{:error, "Cannot display document"}
end
end