Update user

2026-01-11 10:44:32 +00:00 · 2023-02-18 17:26:27 +00:00
parent 47c92ad44a
commit 471fa9ceb5
4 changed files with 38 additions and 2 deletions
--- a/lib/phoenix_api_template_web/auth/error_response.ex
+++ b/lib/phoenix_api_template_web/auth/error_response.ex
@@ -1,3 +1,7 @@
 defmodule PhoenixApiTemplateWeb.Auth.ErrorResponse.Unauthorized do
  defexception message: "Unauthorized", plug_status: 401
 end
+
+defmodule PhoenixApiTemplateWeb.Auth.ErrorResponse.Forbidden do
+  defexception message: "Forbidden", plug_status: 403
+end
--- a/lib/phoenix_api_template_web/controllers/user_controller.ex
+++ b/lib/phoenix_api_template_web/controllers/user_controller.ex
@@ -1,6 +1,7 @@
 defmodule PhoenixApiTemplateWeb.UserController do
  use PhoenixApiTemplateWeb, :controller

+  alias PhoenixApiTemplateWeb.Auth.ErrorResponse
  alias PhoenixApiTemplateWeb.Auth.ErrorResponse.Unauthorized
  alias PhoenixApiTemplateWeb.Auth.Guardian
  alias PhoenixApiTemplate.Accounts
@@ -8,8 +9,21 @@ defmodule PhoenixApiTemplateWeb.UserController do
  alias PhoenixApiTemplate.Profiles
  alias PhoenixApiTemplate.Profiles.Profile

+  plug :is_authorized_user when action in [:update, :delete]
+
  action_fallback(PhoenixApiTemplateWeb.FallbackController)

+  defp is_authorized_user(conn, _options) do
+    %{params: %{"id" => id}} = conn
+    user = Accounts.get_user!(id)
+
+    if conn.assigns.user.id == user.id do
+      conn
+    else
+      raise ErrorResponse.Forbidden
+    end
+  end
+
  def index(conn, _params) do
    users = Accounts.list_users()
    render(conn, "index.json", users: users)
--- a/lib/phoenix_api_template_web/router.ex
+++ b/lib/phoenix_api_template_web/router.ex
@@ -2,18 +2,26 @@ defmodule PhoenixApiTemplateWeb.Router do
  use PhoenixApiTemplateWeb, :router
  use Plug.ErrorHandler

-  defp handle_errors(conn, %{reason: %Phoenix.Router.NoRouteError{message: message}}) do
+  def handle_errors(conn, %{reason: %Phoenix.Router.NoRouteError{message: message}}) do
    conn
    |> json(%{errors: message})
    |> halt()
  end

-  defp handle_errors(conn, %{reason: %{message: message}}) do
+  def handle_errors(conn, %{reason: %{message: message}}) do
    conn
    |> json(%{errors: message})
    |> halt()
  end

+  def handle_errors(conn, error) do
+    IO.inspect(error)
+
+    conn
+    |> json(%{errors: "unknown error"})
+    |> halt()
+  end
+
  pipeline :api do
    plug(:accepts, ["json"])
    plug :fetch_session
@@ -36,5 +44,6 @@ defmodule PhoenixApiTemplateWeb.Router do
    pipe_through([:api, :auth])

    get "/users/by_id/:id", UserController, :show
+    put "/users/:id", UserController, :update
  end
 end
--- a/test_requests/update_user.http
+++ b/test_requests/update_user.http
@@ -0,0 +1,9 @@
+PUT http://localhost:4000/api/users/eae6f03c-6276-48e3-b6df-0797b2f8cb99 HTTP/1.1
+content-type: application/json
+Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwaG9lbml4X2FwaV90ZW1wbGF0ZSIsImV4cCI6MTY3OTE1Njk5NiwiaWF0IjoxNjc2NzM3Nzk2LCJpc3MiOiJwaG9lbml4X2FwaV90ZW1wbGF0ZSIsImp0aSI6Ijk0ZjJlOGQ5LTJkZmYtNDM4Zi1hY2Y4LWZiMzAwODJmZDU2YiIsIm5iZiI6MTY3NjczNzc5NSwic3ViIjoiZWFlNmYwM2MtNjI3Ni00OGUzLWI2ZGYtMDc5N2IyZjhjYjk5IiwidHlwIjoiYWNjZXNzIn0.32jNDsUQZemN6V_sR8xZtmlQp1kECPEcS63yCR655HlyWYsaNYCF3t4Wi37to6lmYUuE8QUD0qI3BHkqhroScQ
+
+{
+    "user": {
+        "password": "safe"
+    }
+}