From 0618654ad59d7076ef70813009e4d375275f6113 Mon Sep 17 00:00:00 2001 From: SphericalKat Date: Sun, 15 Aug 2021 04:46:06 +0530 Subject: [PATCH] feat(pastes): handle edit permissions using plugs Signed-off-by: SphericalKat --- assets/css/app.css | 2 ++ lib/ketbin_web/controllers/page_controller.ex | 22 +++---------------- lib/ketbin_web/controllers/user_auth.ex | 20 +++++++++++++---- lib/ketbin_web/router.ex | 21 ++++++++++++++---- 4 files changed, 38 insertions(+), 27 deletions(-) diff --git a/assets/css/app.css b/assets/css/app.css index 3b9d23b..c60edaa 100644 --- a/assets/css/app.css +++ b/assets/css/app.css @@ -40,9 +40,11 @@ code { .alert-info { background-color: #1ed98e; color: black; + font-weight: bold; } .alert-danger { background-color: #ff9800; color: black; + font-weight: bold; } \ No newline at end of file diff --git a/lib/ketbin_web/controllers/page_controller.ex b/lib/ketbin_web/controllers/page_controller.ex index 8687c39..f5cff4f 100644 --- a/lib/ketbin_web/controllers/page_controller.ex +++ b/lib/ketbin_web/controllers/page_controller.ex @@ -12,15 +12,9 @@ defmodule KetbinWeb.PageController do render(conn, "index.html", changeset: changeset) end - def show(conn, %{"id" => id}) do + def show(%{assigns: %{show_edit: show_edit}} = conn, %{"id" => id}) do paste = Pastes.get_paste!(id) # fetch paste from db - # pull off current user if exists - current_user = conn.assigns.current_user - - # show edit if current user matches creator of paste - show_edit = current_user && current_user.id || false - if paste.is_url do # paste is a url, redirect redirect(conn, external: paste.content) else # regular paste, show content @@ -28,15 +22,8 @@ defmodule KetbinWeb.PageController do end end - def showlink(conn, %{"id" => id}) do + def showlink(%{assigns: %{show_edit: show_edit}} = conn, %{"id" => id}) do paste = Pastes.get_paste!(id) - - # pull off current user if exists - current_user = conn.assigns.current_user - - # show edit if current user matches creator of paste - show_edit = current_user && current_user.id || false - render(conn, "show.html", paste: paste, show_edit: show_edit) end @@ -45,7 +32,7 @@ defmodule KetbinWeb.PageController do text(conn, paste.content) end - def create(conn, %{"paste" => paste_params}) do + def create(%{assigns: %{current_user: current_user}} = conn, %{"paste" => paste_params}) do # generate phonetic key id = Utils.generate_key() @@ -54,9 +41,6 @@ defmodule KetbinWeb.PageController do Map.get(paste_params, "content") |> Utils.is_url?() - # pull off current user if exists - current_user = conn.assigns.current_user - # put id and is_url values into changeset paste_params = Map.put(paste_params, "id", id) diff --git a/lib/ketbin_web/controllers/user_auth.ex b/lib/ketbin_web/controllers/user_auth.ex index c29acc3..7df5987 100644 --- a/lib/ketbin_web/controllers/user_auth.ex +++ b/lib/ketbin_web/controllers/user_auth.ex @@ -1,9 +1,9 @@ defmodule KetbinWeb.UserAuth do - require Logger import Plug.Conn import Phoenix.Controller alias Ketbin.Accounts + alias Ketbin.Pastes alias KetbinWeb.Router.Helpers, as: Routes # Make the remember me cookie valid for 60 days. @@ -95,9 +95,21 @@ defmodule KetbinWeb.UserAuth do assign(conn, :current_user, user) end - def owns_paste(%{assigns: %{current_user: user}} = conn, _params) do - Logger.info("USER: #{inspect(user)}") - conn + def owns_paste(%{params: %{"id" => id}, assigns: %{current_user: user}} = conn, _params) do + paste = Pastes.get_paste!(id) + assign(conn, :show_edit, (user && user.id == paste.belongs_to) || false) + end + + def ensure_owns_paste(%{params: %{"id" => id}, assigns: %{current_user: user}} = conn, _params) do + paste = Pastes.get_paste!(id) + allow_edit = (user && user.id == paste.belongs_to) || false + unless allow_edit do + conn + |> put_flash(:error, "You don't own this paste!") + |> redirect(to: Routes.page_path(conn, :show, id)) + else + conn + end end defp ensure_user_token(conn) do diff --git a/lib/ketbin_web/router.ex b/lib/ketbin_web/router.ex index e583d16..16300a7 100644 --- a/lib/ketbin_web/router.ex +++ b/lib/ketbin_web/router.ex @@ -17,14 +17,27 @@ defmodule KetbinWeb.Router do end scope "/", KetbinWeb do - pipe_through [:browser, :owns_paste] + pipe_through :browser get "/", PageController, :index - get "/:id", PageController, :show get "/:id/raw", PageController, :raw - get "/v/:id", PageController, :showlink - get "/edit/:id", PageController, :edit + post "/", PageController, :create + end + + # scope to check if user is owner of paste + scope "/", KetbinWeb do + pipe_through [:browser, :owns_paste] + + get "/:id", PageController, :show + get "/v/:id", PageController, :showlink + end + + # scope to ensure user is owner of paste + scope "/", KetbinWeb do + pipe_through [:browser, :ensure_owns_paste] + + get "/edit/:id", PageController, :edit patch "/:id", PageController, :update put "/:id", PageController, :update end