Authorized Update and delete

1eb6cb68 · Muhammad Rafif Elfazri · a45d1e1f · 1eb6cb68 · 1eb6cb68 · 1eb6cb68
Commit 1eb6cb68 authored Jan 12, 2021 by Muhammad Rafif Elfazri
--- a/diskuy_back/lib/diskuy_web/auth/guardian.ex
+++ b/diskuy_back/lib/diskuy_web/auth/guardian.ex
@@ -35,4 +35,13 @@ defmodule DiskuyWeb.Auth.Guardian do
    {:ok, user, token}
  end

+  def check_authorized(user, id_entity) do
+    case user.id == id_entity do
+      true ->
+        {:ok, :authorized}
+      false ->
+        {:error, :unauthorized}
+    end
+  end
+
 end
--- a/diskuy_back/lib/diskuy_web/controllers/post_controller.ex
+++ b/diskuy_back/lib/diskuy_web/controllers/post_controller.ex
@@ -5,6 +5,7 @@ defmodule DiskuyWeb.PostController do
  alias Diskuy.Forum.Post
  alias Diskuy.Likes
  alias Diskuy.Likes.PostLike
+  alias DiskuyWeb.Auth.Guardian

  action_fallback DiskuyWeb.FallbackController

@@ -29,17 +30,20 @@ defmodule DiskuyWeb.PostController do
  end

  def update(conn, %{"id" => id, "post" => post_params}) do
+    current_user = Guardian.Plug.current_resource(conn)
    post = Forum.get_post!(id)
-
-    with {:ok, %Post{} = post} <- Forum.update_post(post, post_params) do
+    with {:ok, :authorized} <- Guardian.check_authorized(current_user, post.user_id),
+         {:ok, %Post{} = post} <- Forum.update_post(post, post_params) do
      render(conn, "show.json", post: post)
    end
  end

  def delete(conn, %{"id" => id}) do
+    current_user = Guardian.Plug.current_resource(conn)
    post = Forum.get_post!(id)

-    with {:ok, %Post{}} <- Forum.delete_post(post) do
+    with {:ok, :authorized} <- Guardian.check_authorized(current_user, post.user_id),
+         {:ok, %Post{}} <- Forum.delete_post(post) do
      send_resp(conn, :no_content, "")
    end
  end

--- a/diskuy_back/lib/diskuy_web/controllers/thread_controller.ex
+++ b/diskuy_back/lib/diskuy_web/controllers/thread_controller.ex
@@ -30,15 +30,19 @@ defmodule DiskuyWeb.ThreadController do
  end

  def update(conn, %{"id" => id, "thread" => thread_params}) do
+    current_user = Guardian.Plug.current_resource(conn)
    thread = Forum.get_thread!(id)
-    with {:ok, %Thread{} = thread} <- Forum.update_thread(thread, thread_params) do
+    with {:ok, :authorized} <- Guardian.check_authorized(current_user, thread.user_id),
+         {:ok, %Thread{} = thread} <- Forum.update_thread(thread, thread_params) do
      render(conn, "show.json", thread: thread)
    end
  end

  def delete(conn, %{"id" => id}) do
+    current_user = Guardian.Plug.current_resource(conn)
    thread = Forum.get_thread!(id)
-    with {:ok, %Thread{}} <- Forum.delete_thread(thread) do
+    with {:ok, :authorized} <- Guardian.check_authorized(current_user, thread.user_id),
+         {:ok, %Thread{}} <- Forum.delete_thread(thread) do
      send_resp(conn, :no_content, "")
    end
  end