p4d50

p4d50

How to provide current logged in user into LiveView Form component?

Hi guys,

I have a question, so I’m wondering what is the best way to do this?

I’m using Phoenix gen command, for generating liveview components, context, etc. Scaffold is pretty solid, but I have one question.

I’m tweaking original Phoenix Auth, to support multiple profiles. And I’m currently using logged in user information, in order to submit “has many” relationship between user and profile.

In Index liveview module, I have this piece of code:

 def mount(_params, %{"user_token" => user_token}, socket) do
    profiles = Profiles.list_profiles_by_user_token(user_token)
    
    socket = socket
      |> stream(:profiles, profiles)
      |> assign(:current_user, Accounts.get_user_by_session_token(user_token))

    {:ok, socket}
  end

Here I’m assigning currently logged in user profiles, and current_user. In my index.html.heex, I’m passing current_user value into <.live_component> like so:

<.modal :if={@live_action in [:new, :edit]} id="profile-modal" show on_cancel={JS.patch(~p"/profiles")}>
  <.live_component
    module={TrialmarkWeb.ProfileLive.FormComponent}
    -----------------------------------------------------
    current_user={@current_user}
    -----------------------------------------------------
    id={@profile.id || :new}
    title={@page_title}
    action={@live_action}
    profile={@profile}
    patch={~p"/profiles"}
  />
</.modal>

And on form_component.ex I’m using current_user value to create new profile associted to currently logged in user, like so:

 defp save_profile(socket, :new, profile_params) do
    case Profiles.create_profile(profile_params, socket.assigns.current_user) do
      {:ok, profile} ->
        notify_parent({:saved, profile})

        {:noreply,
         socket
         |> put_flash(:info, "Profile created successfully")
         |> push_patch(to: socket.assigns.patch)}

      {:error, %Ecto.Changeset{} = changeset} ->
        {:noreply, assign_form(socket, changeset)}
    end
  end

Long story short, my question is there a better way to do this, because providing value from heex file, can be mutated, and security would be an issue. For example someone can enter some other user profile, and submit it to his account.

What is best way to handle this stuff correctly?

First Post!

sodapopcan

sodapopcan

Your example also just shows an example of creating a profile which wouldn’t be a security issue. For update, you just need to ensure the user owns the profile. This can be done in a variety of ways. I like to keep it in the domain layer and I like to pass the user as the first argument:

Profiles.update_profile(current_user, profile, profile_params)

Then your code can look something like this:

def update_profile(%User{id: user_id}, profile{user_id: user_id}, params) do
  # ...
end

This will raise if the two user_ids don’t match.

You also look at authorization libraries like Let Me or Janus.

Also, be careful of lines like this if you are using integer id:

id={@profile.id || :new}

LiveView gives you a warning if you use an integer as a component id (at least it used to!)

Where Next?

Popular in Questions Top

vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
Kurisu
For example for a current url like http://localhost:4000/cosmetic/products?_utf8=✓&amp;query=perfume&amp;page=2, I would like to get: ...
New
qwerescape
Is there a way to get the call stack or stack trace at any point in the code? Not from exceptions, but an expression that returns how the...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
beno
I will often find my self writing things similar to: case some_value do nil -&gt; something() "" -&gt; something() _ -&gt; somethi...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New

We're in Beta

About us Mission Statement