permit! not raising a Bodyguard.NotAuthorizedError

Question

permit! not raising a Bodyguard.NotAuthorizedError

abitdodgy opened this issue 7 years ago · comments

Mohamad El-Husseini commented 7 years ago

I'm getting a different error than what I expect when I use permit!:

defmodule MyAppWeb.Admin.LinkController do
  action_fallback MyAppWeb.FallbackController
  plug :set_and_authorize_post when not action in [:scrape]

  def set_and_authorize_post(%{params: %{"post_id" => post_id}} = conn, _) do
    post = Media.get_post!(post_id)
    Bodyguard.permit!(MyApp.Media, :manage_links, conn.assigns.current_user, post)
    assign(conn, :post, post)
  end

The error is:

protocol Enumerable not implemented for %MyApp.Media.Post{__meta__: #Ecto.Schema.Metadata<:loaded, "posts">, ...

Mohamad El-Husseini · Answer 1 · Sun Nov 26 2017 19:34:09 GMT+0800 (China Standard Time)

To get around this issue, I'm doing this:

  def set_and_authorize_post(%{params: %{"post_id" => post_id}} = conn, _) do
    post = Media.get_post!(post_id)
    case Bodyguard.permit?(MyApp.Media, :manage_links, conn.assigns.current_user, post) do
      true ->
        assign(conn, :post, post)
      false ->
        conn
        |> put_status(403)
        |> render(MyAppWeb.ErrorView, "403.html")
        |> halt()
    end
  end

Rockwell Schrock · Answer 2 · Sun Nov 26 2017 23:27:34 GMT+0800 (China Standard Time)

Good catch. The problem was that permit! was expecting that post argument to be an options keyword list (something like [post: post], which is an old library requirement that I must have not removed from that function.

Anyway, I've published a fix. Please update your Bodyguard dependency to v2.2 using mix deps.update bodyguard.

Mohamad El-Husseini · Answer 3 · Mon Nov 27 2017 00:55:21 GMT+0800 (China Standard Time)

That update solved it. Thanks.