Guardian.Plug.EnsurePermissions Question

I have the following in my users controller:

plug Guardian.Plug.EnsurePermissions, 
  handler: MyAppWeb.AuthController, admin: [:manage_users]

def show(conn, %{"id" => id}) do
  user = method_to_find_user

  |> json(user)

So with this code, guardian will send a 401 when a user without the :manage_users permission tries to access any users show page. What I am trying to do is allow the current user to be able to view his/her self. I have the current user but not sure what is the best way to implement this feature.


This will only allow someone with the manage_users permissions to view the user, which probably isn’t what you want. If you remove it, anyone can access the user. I would normally handle this by authenticating the request using JWT that has the user. Then you can do something like this:

plug Guardian.Plug.VerifyHeader
plug Guardian.Plug.LoadResource
plug Guardian.Plug.EnsureResource, handler: Api.AuthErrorHandler

def show(conn, _params) do
  user = Guardian.Plug.current_resource(conn)
  |> put_status(200)
  |> render("show.json", data: User.get(user))

That makes sense. Thanks you!