I use {:phauxth, “~> 1.2”}
authorize.ex
Works great for User, but checking a “belongs_to” controller with a user_id, this seems to not work out of the box.
in my controller
plug :id_check when action in [:show]
…
def show(%Plug.Conn{assigns: %{current_user: user}} = conn, %{"id" => id}) do
angebot = Projects.get_angebot!(id)
render(conn, "show.html", angebot: angebot)
end
kicks me out.
should check …current_user.id==user_id
Tried a lot but no success…any idea?
Could find Info…
Thanks
I used phauxth in a prototype, it does not provide such functionality, what id_check
does is only to see if the given id on a path is the same of the current user.
You need to load the resource before it happens and usually in a controller that is not what happends, so what you could do is:
- Use phauxth to check if there is authenticated user
- Use some authorization lib to match the fields
I used Bodyguard and plays really nice, you just need to load the resource first and get the user, then you pass this context to your permit
and get a result, you can do really fine grained authorization using simple pattern matching
2 Likes
A policy example
defmodule App.AngebotPolicy do
@behaviour Bodyguard.Policy
def authorize(:show, %{id: user_id}, %{user_id: user_id}), do: :ok
def authorize(_action, _user, _resource), do: {:error, "Get off my lawn!"}
end
defmodule MyController do
plug :user_check when action in [:index, :show]
# ....
def show(%Plug.Conn{assigns: %{current_user: user}} = conn, %{"id" => id}) do
angebot = Projects.get_angebot!(id)
with :ok <- Bodyguard.permit(AngebotPolicy, :show, user, angebot) do
render(conn, "show.html", angebot: angebot)
else
# do something to alert the user
{:error, reason} ->
conn
|> put_flash(:error, reason)
|> redirect(to: page_path(conn, :index)
end
end
end
2 Likes
Thanks for support… I will check that…looks good