From 1eb6cb6882d906f1e644d0c81d816c9b793a53ba Mon Sep 17 00:00:00 2001
From: Muhammad Rafif Elfazri <rafif.elfazri@gmail.com>
Date: Tue, 12 Jan 2021 20:27:35 +0700
Subject: [PATCH] Authorized Update and delete

---
 diskuy_back/lib/diskuy_web/auth/guardian.ex            |  9 +++++++++
 .../lib/diskuy_web/controllers/post_controller.ex      | 10 +++++++---
 .../lib/diskuy_web/controllers/thread_controller.ex    |  8 ++++++--
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/diskuy_back/lib/diskuy_web/auth/guardian.ex b/diskuy_back/lib/diskuy_web/auth/guardian.ex
index ebfed8b..ee48888 100644
--- a/diskuy_back/lib/diskuy_web/auth/guardian.ex
+++ b/diskuy_back/lib/diskuy_web/auth/guardian.ex
@@ -35,4 +35,13 @@ defmodule DiskuyWeb.Auth.Guardian do
     {:ok, user, token}
   end
 
+  def check_authorized(user, id_entity) do
+    case user.id == id_entity do
+      true ->
+        {:ok, :authorized}
+      false ->
+        {:error, :unauthorized}
+    end
+  end
+
 end
diff --git a/diskuy_back/lib/diskuy_web/controllers/post_controller.ex b/diskuy_back/lib/diskuy_web/controllers/post_controller.ex
index 7de76bd..c41f03b 100644
--- a/diskuy_back/lib/diskuy_web/controllers/post_controller.ex
+++ b/diskuy_back/lib/diskuy_web/controllers/post_controller.ex
@@ -5,6 +5,7 @@ defmodule DiskuyWeb.PostController do
   alias Diskuy.Forum.Post
   alias Diskuy.Likes
   alias Diskuy.Likes.PostLike
+  alias DiskuyWeb.Auth.Guardian
 
   action_fallback DiskuyWeb.FallbackController
 
@@ -29,17 +30,20 @@ defmodule DiskuyWeb.PostController do
   end
 
   def update(conn, %{"id" => id, "post" => post_params}) do
+    current_user = Guardian.Plug.current_resource(conn)
     post = Forum.get_post!(id)
-
-    with {:ok, %Post{} = post} <- Forum.update_post(post, post_params) do
+    with {:ok, :authorized} <- Guardian.check_authorized(current_user, post.user_id),
+         {:ok, %Post{} = post} <- Forum.update_post(post, post_params) do
       render(conn, "show.json", post: post)
     end
   end
 
   def delete(conn, %{"id" => id}) do
+    current_user = Guardian.Plug.current_resource(conn)
     post = Forum.get_post!(id)
 
-    with {:ok, %Post{}} <- Forum.delete_post(post) do
+    with {:ok, :authorized} <- Guardian.check_authorized(current_user, post.user_id),
+         {:ok, %Post{}} <- Forum.delete_post(post) do
       send_resp(conn, :no_content, "")
     end
   end
diff --git a/diskuy_back/lib/diskuy_web/controllers/thread_controller.ex b/diskuy_back/lib/diskuy_web/controllers/thread_controller.ex
index cda5d5d..ea0bbb2 100644
--- a/diskuy_back/lib/diskuy_web/controllers/thread_controller.ex
+++ b/diskuy_back/lib/diskuy_web/controllers/thread_controller.ex
@@ -30,15 +30,19 @@ defmodule DiskuyWeb.ThreadController do
   end
 
   def update(conn, %{"id" => id, "thread" => thread_params}) do
+    current_user = Guardian.Plug.current_resource(conn)
     thread = Forum.get_thread!(id)
-    with {:ok, %Thread{} = thread} <- Forum.update_thread(thread, thread_params) do
+    with {:ok, :authorized} <- Guardian.check_authorized(current_user, thread.user_id),
+         {:ok, %Thread{} = thread} <- Forum.update_thread(thread, thread_params) do
       render(conn, "show.json", thread: thread)
     end
   end
 
   def delete(conn, %{"id" => id}) do
+    current_user = Guardian.Plug.current_resource(conn)
     thread = Forum.get_thread!(id)
-    with {:ok, %Thread{}} <- Forum.delete_thread(thread) do
+    with {:ok, :authorized} <- Guardian.check_authorized(current_user, thread.user_id),
+         {:ok, %Thread{}} <- Forum.delete_thread(thread) do
       send_resp(conn, :no_content, "")
     end
   end
-- 
GitLab