feat(pastes): handle edit permissions using plugs

Signed-off-by: SphericalKat <amolele@gmail.com>
This commit is contained in:
Amogh Lele 2021-08-15 04:46:06 +05:30
parent 58498d47d4
commit 0618654ad5
No known key found for this signature in database
GPG Key ID: ED5C54FBBB920E51
4 changed files with 38 additions and 27 deletions

View File

@ -40,9 +40,11 @@ code {
.alert-info { .alert-info {
background-color: #1ed98e; background-color: #1ed98e;
color: black; color: black;
font-weight: bold;
} }
.alert-danger { .alert-danger {
background-color: #ff9800; background-color: #ff9800;
color: black; color: black;
font-weight: bold;
} }

View File

@ -12,15 +12,9 @@ defmodule KetbinWeb.PageController do
render(conn, "index.html", changeset: changeset) render(conn, "index.html", changeset: changeset)
end end
def show(conn, %{"id" => id}) do def show(%{assigns: %{show_edit: show_edit}} = conn, %{"id" => id}) do
paste = Pastes.get_paste!(id) # fetch paste from db paste = Pastes.get_paste!(id) # fetch paste from db
# pull off current user if exists
current_user = conn.assigns.current_user
# show edit if current user matches creator of paste
show_edit = current_user && current_user.id || false
if paste.is_url do # paste is a url, redirect if paste.is_url do # paste is a url, redirect
redirect(conn, external: paste.content) redirect(conn, external: paste.content)
else # regular paste, show content else # regular paste, show content
@ -28,15 +22,8 @@ defmodule KetbinWeb.PageController do
end end
end end
def showlink(conn, %{"id" => id}) do def showlink(%{assigns: %{show_edit: show_edit}} = conn, %{"id" => id}) do
paste = Pastes.get_paste!(id) paste = Pastes.get_paste!(id)
# pull off current user if exists
current_user = conn.assigns.current_user
# show edit if current user matches creator of paste
show_edit = current_user && current_user.id || false
render(conn, "show.html", paste: paste, show_edit: show_edit) render(conn, "show.html", paste: paste, show_edit: show_edit)
end end
@ -45,7 +32,7 @@ defmodule KetbinWeb.PageController do
text(conn, paste.content) text(conn, paste.content)
end end
def create(conn, %{"paste" => paste_params}) do def create(%{assigns: %{current_user: current_user}} = conn, %{"paste" => paste_params}) do
# generate phonetic key # generate phonetic key
id = Utils.generate_key() id = Utils.generate_key()
@ -54,9 +41,6 @@ defmodule KetbinWeb.PageController do
Map.get(paste_params, "content") Map.get(paste_params, "content")
|> Utils.is_url?() |> Utils.is_url?()
# pull off current user if exists
current_user = conn.assigns.current_user
# put id and is_url values into changeset # put id and is_url values into changeset
paste_params = paste_params =
Map.put(paste_params, "id", id) Map.put(paste_params, "id", id)

View File

@ -1,9 +1,9 @@
defmodule KetbinWeb.UserAuth do defmodule KetbinWeb.UserAuth do
require Logger
import Plug.Conn import Plug.Conn
import Phoenix.Controller import Phoenix.Controller
alias Ketbin.Accounts alias Ketbin.Accounts
alias Ketbin.Pastes
alias KetbinWeb.Router.Helpers, as: Routes alias KetbinWeb.Router.Helpers, as: Routes
# Make the remember me cookie valid for 60 days. # Make the remember me cookie valid for 60 days.
@ -95,9 +95,21 @@ defmodule KetbinWeb.UserAuth do
assign(conn, :current_user, user) assign(conn, :current_user, user)
end end
def owns_paste(%{assigns: %{current_user: user}} = conn, _params) do def owns_paste(%{params: %{"id" => id}, assigns: %{current_user: user}} = conn, _params) do
Logger.info("USER: #{inspect(user)}") paste = Pastes.get_paste!(id)
conn assign(conn, :show_edit, (user && user.id == paste.belongs_to) || false)
end
def ensure_owns_paste(%{params: %{"id" => id}, assigns: %{current_user: user}} = conn, _params) do
paste = Pastes.get_paste!(id)
allow_edit = (user && user.id == paste.belongs_to) || false
unless allow_edit do
conn
|> put_flash(:error, "You don't own this paste!")
|> redirect(to: Routes.page_path(conn, :show, id))
else
conn
end
end end
defp ensure_user_token(conn) do defp ensure_user_token(conn) do

View File

@ -17,14 +17,27 @@ defmodule KetbinWeb.Router do
end end
scope "/", KetbinWeb do scope "/", KetbinWeb do
pipe_through [:browser, :owns_paste] pipe_through :browser
get "/", PageController, :index get "/", PageController, :index
get "/:id", PageController, :show
get "/:id/raw", PageController, :raw get "/:id/raw", PageController, :raw
get "/v/:id", PageController, :showlink
get "/edit/:id", PageController, :edit
post "/", PageController, :create post "/", PageController, :create
end
# scope to check if user is owner of paste
scope "/", KetbinWeb do
pipe_through [:browser, :owns_paste]
get "/:id", PageController, :show
get "/v/:id", PageController, :showlink
end
# scope to ensure user is owner of paste
scope "/", KetbinWeb do
pipe_through [:browser, :ensure_owns_paste]
get "/edit/:id", PageController, :edit
patch "/:id", PageController, :update patch "/:id", PageController, :update
put "/:id", PageController, :update put "/:id", PageController, :update
end end