Merge pull request #68 from datasektionen/fix-auth-bugs

fixed auth bugs
datasektionen · Jul 11, 2023 · dcfa039 · dcfa039
2 parents 964511e + 45b6101
commit dcfa039
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 12 deletions.
diff --git a/lib/haj_web/controllers/user_auth.ex b/lib/haj_web/controllers/user_auth.ex
@@ -23,7 +23,14 @@ defmodule HajWeb.UserAuth do
          :ok <- Policy.authorize(action, user) do
       {:cont, socket}
     else
-      _ -> {:halt, redirect_require_admin(socket)}
+      _ ->
+        case action do
+          :haj_access ->
+            {:halt, redirect_require_access(socket)}
+
+          _ ->
+            {:halt, redirect_require_admin(socket)}
+        end
     end
   end
 
@@ -69,13 +76,13 @@ defmodule HajWeb.UserAuth do
   defp redirect_require_admin(socket) do
     socket
     |> LiveView.put_flash(:error, "Du har inte access")
-    |> LiveView.redirect(to: Routes.dashboard_unauthorized_path(socket, :index))
+    |> LiveView.redirect(to: ~p"/unauthorized")
   end
 
   defp redirect_require_access(socket) do
     socket
     |> LiveView.put_flash(:error, "Du har inte access")
-    |> LiveView.redirect(to: Routes.login_path(socket, :unauthorized))
+    |> LiveView.redirect(to: ~p"/login/unauthorized")
   end
 
   @doc """
@@ -209,23 +216,23 @@ defmodule HajWeb.UserAuth do
   end
 
   def require_spex_access(conn, _opts) do
-    if Policy.authorize(:haj_access, conn.assigns.current_user) do
+    if Policy.authorize?(:haj_access, conn.assigns.current_user) do
       conn
     else
       conn
       |> put_flash(:error, "Du har inte access här.")
-      |> redirect(to: Routes.login_path(conn, :unauthorized))
+      |> redirect(to: ~p"/login/unauthorized")
       |> halt()
     end
   end
 
   def require_admin_access(conn, _opts) do
-    if Policy.authorize(:haj_admin, conn.assigns.current_user) do
+    if Policy.authorize?(:haj_admin, conn.assigns.current_user) do
       conn
     else
       conn
       |> put_flash(:error, "Du har inte access här.")
-      |> redirect(to: Routes.login_path(conn, :unauthorized))
+      |> redirect(to: ~p"/unauthorized")
       |> halt()
     end
   end
@@ -236,5 +243,5 @@ defmodule HajWeb.UserAuth do
 
   defp maybe_store_return_to(conn), do: conn
 
-  defp signed_in_path(conn), do: ~p"/dashboard"
+  defp signed_in_path(_conn), do: ~p"/dashboard"
 end
diff --git a/lib/haj_web/live/dashboard_live/index.html.heex b/lib/haj_web/live/dashboard_live/index.html.heex
@@ -53,7 +53,7 @@
     </div>
   </div>
 
-  <div class="flex flex-col gap-4 pt-2">
+  <div :if={Policy.authorize?(:merch_buy, @current_user)} class="flex flex-col gap-4 pt-2">
     <.link navigate={~p"/merch"} class="group mr-auto inline-flex items-center gap-1">
       <h3 class="text-xl font-bold group-hover:text-burgandy-600">Merchbeställningar</h3>
       <.icon name={:arrow_right} mini class="inline-block h-5 group-hover:fill-burgandy-600" />

diff --git a/lib/haj_web/router.ex b/lib/haj_web/router.ex
@@ -34,7 +34,7 @@ defmodule HajWeb.Router do
     end
 
     get "/", LoginController, :login
-    get "/unauthorized", LoginController, :unauthorized
+    get "/login/unauthorized", LoginController, :unauthorized
   end
 
   scope "/", HajWeb do
@@ -168,8 +168,12 @@ defmodule HajWeb.Router do
 
     post "/merch-admin/:show_id/csv", MerchAdminController, :csv
 
-    get "/applications", ApplicationController, :index
-    get "/applications/export", ApplicationController, :export
+    scope "/" do
+      pipe_through [:require_admin_access]
+
+      get "/applications", ApplicationController, :index
+      get "/applications/export", ApplicationController, :export
+    end
   end
 
   scope "/sok", HajWeb do