Purpose of plug :ensure_user_confirmed in "Security considerations of the LiveView model"?

Hi! I am not sure I understand the concept of “confirming” a user in the example given in “Security considerations of the LiveView model”: Security considerations of the LiveView model — Phoenix LiveView v0.15.7

plug :ensure_user_authenticated
plug :ensure_user_confirmed

Is the step “confirming” a user akin to verifying their identity via email confirmation or phone number? Or does it have more to do with roles, like a user’s permissions to access certain paths?

Thank you!

phx_gen_auth generates some boilerplate around sending confirmation emails to each user and saving the status to your database. I’d imagine many apps would restrict account functionality for unconfirmed users, and for those apps, a plug like :ensure_user_confirmed would check the DB for the user’s confirmation status before allowing them to take a specific action - such as create a new post, or view private content.


Yup. In any case, what ensure_user_confirmed does is not quite the point of that section. But rather that any user treatment done in your plug must also be done in your LiveView. Of course, if you only have LiveViews, then you only need to do it in the LiveView.


Thank you both for clarifying! :slight_smile: