plug Guardian.Plug.EnsurePermissions,
handler: MyAppWeb.AuthController, admin: [:manage_users]
def show(conn, %{"id" => id}) do
user = method_to_find_user
conn
|> json(user)
end
So with this code, guardian will send a 401 when a user without the :manage_users permission tries to access any users show page. What I am trying to do is allow the current user to be able to view his/her self. I have the current user but not sure what is the best way to implement this feature.
This will only allow someone with the manage_users permissions to view the user, which probably isn’t what you want. If you remove it, anyone can access the user. I would normally handle this by authenticating the request using JWT that has the user. Then you can do something like this:
plug Guardian.Plug.VerifyHeader
plug Guardian.Plug.LoadResource
plug Guardian.Plug.EnsureResource, handler: Api.AuthErrorHandler
def show(conn, _params) do
user = Guardian.Plug.current_resource(conn)
conn
|> put_status(200)
|> render("show.json", data: User.get(user))
end