Phoenix templates sections/areas and Authorization

Hi,

I am building a portal that will use classic Phoenix templates and some sections where connectivity will be done via channels (still not sure… what that will use : LiveView, react, elm??).
Just for the sake of explanation, please see this random example:

Let’s say that we have the top navbar (in the top 2 rows), then we have a sidebar on the left and the central component part as the rest of the page. Let’s assume that this central part will be probably connected via channels. Left and top will be rendered via classic phoenix templates.

Now the question/dilemma.

I need authentication, which will be probably based on Phx.gen.auth, but the critical part is an authorization. I need a minimum of 4 different roles.
For instance, based on a specific role, the left sidebar could be different. Or the central part might be missing an element or two which are part of the central “rendered page”. So part of this central component. Based on the role, the top navbar could be different. And so on. You probably get the picture by now.

The majority of the material on the net shows a classic approach with “admin” and “user” roles, probably plug implementation for authorization then dealing with “who can see what” on the level of routes.ex file.

But how would you approach this in my case, where based on the role, you need to change/modify random component/template.

Next, would it be better to open totally different template files based on roles… or modify somehow one and only template that we would have for instance for this central part… and modify it “in-place” based on the role? What would be a more idiomatic approach?

I would really appreciate some feedback.

Thanks in advance.

Best,
Tomaz

Hey,

I’m currently working on some side project and I’m still figuring out how to approach this.
Afaik It would be smart to approach this from different angles like described here (https://www.leanpanda.com/blog/authentication-and-authorisation-in-phoenix-liveview)

  • authentication (e.g. via phx_gen_auth)
  • authorisation (e.g. via bodyguard or your simple implementation) - definitely combined with plugs, checking if user is allowed to access chosen resource like u mentioned
  • and finally handling auhtorisation responses in views, which I figure is the main question here

For the latter it really depends how your layout is built:

  • i would ask myself how different are the views for roles in your applications - should i prevent loading some parts or whole views/routs
  • it also depends on what you frontend tool will be
    • with some .js library like react you could probably switch whole components depending on the role
    • i guess similar can be done with views and partials (Partial Templates with Phoenix - ElixirCasts)
    • if you would use liveview, you will probably need to properly handle role authorisation in event handlers, but sadly I don’t know too much about liveview and livecomponents and how to handle authorisation in such views

So if anyone has some experience on how to approach this authorisation challenge with template partials, liveview and livecomponents I would greatly appreciate your help.

Cheers,
Borut