Just trying to wrap my head around a couple of things with how events work in liveview. Mostly for security reasons.
Say that I lock down the mount functions of my liveviews and components with appropriate authorization rules. Assuming I have a websocket connection somewhere else in the application, am I able to send arbitrary events to another liveview module?
My assumption is no, since liveviews are process driven and the process will die if it redirects from the mount method. I want to know if I have to separately authorize my handle_event functions if they have the same authorization rules as the liveview itself.
This is correct. The client has to ask the server to setup a liveview, and when the server sets up a liveview it always runs mount first. If mount denies access, the client can’t force anything to happen.
Perfect thank you. Are you aware of any materials describing the client-server interactions in liveview out of the box? I’m aware of a video on the “liveview” lifecycle but it’s more basic than I’m looking for.
@elt547 not off hand, but keep in mind that any resources that you find about Phoenix Channels apply equally to LiveView, because LiveView is built on top of channels.
The answer to this specific question is yes. Generally speaking, you should check authorization for each action performed in a handle_event callback. Authorization is separate from authentication, you can perform authentication in on_mount, but you still have to check whether each action can be performed by the authenticated user.
