I’m trying to restrict some routes with user role.
I’ve added a role field on my user table that can take “user” “admin” or “manager”
the routes to change the role work perfectly but not the restrict access.
I’ve followed the hexdoc but doesn’t work.
This ismy ensurerole plug :
defmodule Timemanager.EnsureRolePlug do
import Plug.Conn, only: [halt: 1]
alias TimemanagerWeb.Router.Helpers, as: Routes
alias Phoenix.Controller
alias Plug.Conn
alias Pow.Plug
@doc false
@spec init(any()) :: any()
def init(config), do: config
@doc false
@spec call(Conn.t(), atom() | binary() | [atom()] | [binary()]) :: Conn.t()
def call(conn, roles) do
conn
|> Plug.current_user()
|> has_role?(roles)
|> maybe_halt(conn)
end
defp has_role?(nil, _roles), do: false
defp has_role?(user, roles) when is_list(roles), do: Enum.any?(roles, &has_role?(user, &1))
defp has_role?(user, role) when is_atom(role), do: has_role?(user, Atom.to_string(role))
defp has_role?(%{role: role}, role), do: true
defp has_role?(_user, _role), do: false
defp maybe_halt(true, conn), do: conn
defp maybe_halt(_any, conn) do
conn
|> Controller.put_flash(:error, "Unauthorized access")
|> halt()
end
end
this is my router :
pipeline :admin do
plug Timemanager.EnsureRolePlug, :admin
end
scope "/admin" do
pipe_through [:browser, :admin]
put("/manager/:userID", UserController, :manager)
put("/admin/:userID", UserController, :admin)
end
with that code i can acces the route /admin and /manager with the user role, and i want only a admin can use this routes.
In the doc there is one, but i dont want to redirect, it’s a api route, i juste want to change user role, and if the user is not an admin i put flash “Unauthorized access”. i can in fact put status 401 and render and error.json …
Yes that is why I think you need to redirect users with “user” role to some route they are allowed to access. If it is an API, redirect to some allowed route that serves the appropriate data that the API client know what to do with. The halt plug will assure that the request won’t go anywhere further through the restricted route pipeline after the redirection.
To sum up, they accessed the route but they are immediately redirected before getting any restricted data. In the other hand, Users with “admin” role won’t be redirected and will access the restricted data.
defmodule Timemanager.EnsureRolePlug do
import Plug.Conn, only: [halt: 1]
alias TimemanagerWeb.Router.Helpers, as: Routes
alias Phoenix.Controller
alias Plug.Conn
alias Pow.Plug
@doc false
@spec init(any()) :: any()
def init(config), do: config
@doc false
@spec call(Conn.t(), atom() | binary() | [atom()] | [binary()]) :: Conn.t()
def call(conn, roles) do
conn
|> Plug.current_user()
|> has_role?(roles)
|> maybe_halt(conn)
end
defp has_role?(nil, _roles), do: false
defp has_role?(user, roles) when is_list(roles), do: Enum.any?(roles, &has_role?(user, &1))
defp has_role?(user, role) when is_atom(role), do: has_role?(user, Atom.to_string(role))
defp has_role?(%{role: role}, role), do: true
defp has_role?(_user, _role), do: false
defp maybe_halt(true, conn), do: conn
defp maybe_halt(_any, conn) do
conn
|> Controller.put_flash(:error, "Unauthorized access")
|> Controller.redirect(to: "/sign_in")
|> halt()
end
end
pipeline :authenticated do
plug Guardian.Plug.EnsureAuthenticated
end
pipeline :admin do
plug Timemanager.EnsureRolePlug, :admin
end
scope "/admin" do
pipe_through [:authenticated, :admin]
put("/manager/:userID", UserController, :manager)
end
In fact where i create a user, default role is “user”, after that i can sign_in to have my token and access to restrict route. But i have 2 routes : /admin and /manager. Only authenticated user with admin role can access this route.
All authentucation and sin_in function are working, but my plug to ensure that user is admin isn’t working because user with admin role can access the route /admin and /manager.
So i modfied my plug with all you said, but now when i call this route, i have 405 method not allowed.