feat(pastes): handle edit permissions using plugs
Signed-off-by: SphericalKat <amolele@gmail.com>
This commit is contained in:
parent
58498d47d4
commit
0618654ad5
@ -40,9 +40,11 @@ code {
|
||||
.alert-info {
|
||||
background-color: #1ed98e;
|
||||
color: black;
|
||||
font-weight: bold;
|
||||
}
|
||||
|
||||
.alert-danger {
|
||||
background-color: #ff9800;
|
||||
color: black;
|
||||
font-weight: bold;
|
||||
}
|
@ -12,15 +12,9 @@ defmodule KetbinWeb.PageController do
|
||||
render(conn, "index.html", changeset: changeset)
|
||||
end
|
||||
|
||||
def show(conn, %{"id" => id}) do
|
||||
def show(%{assigns: %{show_edit: show_edit}} = conn, %{"id" => id}) do
|
||||
paste = Pastes.get_paste!(id) # fetch paste from db
|
||||
|
||||
# pull off current user if exists
|
||||
current_user = conn.assigns.current_user
|
||||
|
||||
# show edit if current user matches creator of paste
|
||||
show_edit = current_user && current_user.id || false
|
||||
|
||||
if paste.is_url do # paste is a url, redirect
|
||||
redirect(conn, external: paste.content)
|
||||
else # regular paste, show content
|
||||
@ -28,15 +22,8 @@ defmodule KetbinWeb.PageController do
|
||||
end
|
||||
end
|
||||
|
||||
def showlink(conn, %{"id" => id}) do
|
||||
def showlink(%{assigns: %{show_edit: show_edit}} = conn, %{"id" => id}) do
|
||||
paste = Pastes.get_paste!(id)
|
||||
|
||||
# pull off current user if exists
|
||||
current_user = conn.assigns.current_user
|
||||
|
||||
# show edit if current user matches creator of paste
|
||||
show_edit = current_user && current_user.id || false
|
||||
|
||||
render(conn, "show.html", paste: paste, show_edit: show_edit)
|
||||
end
|
||||
|
||||
@ -45,7 +32,7 @@ defmodule KetbinWeb.PageController do
|
||||
text(conn, paste.content)
|
||||
end
|
||||
|
||||
def create(conn, %{"paste" => paste_params}) do
|
||||
def create(%{assigns: %{current_user: current_user}} = conn, %{"paste" => paste_params}) do
|
||||
# generate phonetic key
|
||||
id = Utils.generate_key()
|
||||
|
||||
@ -54,9 +41,6 @@ defmodule KetbinWeb.PageController do
|
||||
Map.get(paste_params, "content")
|
||||
|> Utils.is_url?()
|
||||
|
||||
# pull off current user if exists
|
||||
current_user = conn.assigns.current_user
|
||||
|
||||
# put id and is_url values into changeset
|
||||
paste_params =
|
||||
Map.put(paste_params, "id", id)
|
||||
|
@ -1,9 +1,9 @@
|
||||
defmodule KetbinWeb.UserAuth do
|
||||
require Logger
|
||||
import Plug.Conn
|
||||
import Phoenix.Controller
|
||||
|
||||
alias Ketbin.Accounts
|
||||
alias Ketbin.Pastes
|
||||
alias KetbinWeb.Router.Helpers, as: Routes
|
||||
|
||||
# Make the remember me cookie valid for 60 days.
|
||||
@ -95,9 +95,21 @@ defmodule KetbinWeb.UserAuth do
|
||||
assign(conn, :current_user, user)
|
||||
end
|
||||
|
||||
def owns_paste(%{assigns: %{current_user: user}} = conn, _params) do
|
||||
Logger.info("USER: #{inspect(user)}")
|
||||
conn
|
||||
def owns_paste(%{params: %{"id" => id}, assigns: %{current_user: user}} = conn, _params) do
|
||||
paste = Pastes.get_paste!(id)
|
||||
assign(conn, :show_edit, (user && user.id == paste.belongs_to) || false)
|
||||
end
|
||||
|
||||
def ensure_owns_paste(%{params: %{"id" => id}, assigns: %{current_user: user}} = conn, _params) do
|
||||
paste = Pastes.get_paste!(id)
|
||||
allow_edit = (user && user.id == paste.belongs_to) || false
|
||||
unless allow_edit do
|
||||
conn
|
||||
|> put_flash(:error, "You don't own this paste!")
|
||||
|> redirect(to: Routes.page_path(conn, :show, id))
|
||||
else
|
||||
conn
|
||||
end
|
||||
end
|
||||
|
||||
defp ensure_user_token(conn) do
|
||||
|
@ -17,14 +17,27 @@ defmodule KetbinWeb.Router do
|
||||
end
|
||||
|
||||
scope "/", KetbinWeb do
|
||||
pipe_through [:browser, :owns_paste]
|
||||
pipe_through :browser
|
||||
|
||||
get "/", PageController, :index
|
||||
get "/:id", PageController, :show
|
||||
get "/:id/raw", PageController, :raw
|
||||
get "/v/:id", PageController, :showlink
|
||||
get "/edit/:id", PageController, :edit
|
||||
|
||||
post "/", PageController, :create
|
||||
end
|
||||
|
||||
# scope to check if user is owner of paste
|
||||
scope "/", KetbinWeb do
|
||||
pipe_through [:browser, :owns_paste]
|
||||
|
||||
get "/:id", PageController, :show
|
||||
get "/v/:id", PageController, :showlink
|
||||
end
|
||||
|
||||
# scope to ensure user is owner of paste
|
||||
scope "/", KetbinWeb do
|
||||
pipe_through [:browser, :ensure_owns_paste]
|
||||
|
||||
get "/edit/:id", PageController, :edit
|
||||
patch "/:id", PageController, :update
|
||||
put "/:id", PageController, :update
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user