harden account deletion

2022-02-12 00:34:11 -05:00 · 2022-02-12 00:34:11 -05:00 · 332f92a02f
parent c0b3de75a9
commit 332f92a02f
3 changed files with 32 additions and 16 deletions
--- a/lib/cannery/accounts.ex
+++ b/lib/cannery/accounts.ex
@ -63,17 +63,20 @@ defmodule Cannery.Accounts do
  @spec get_user!(User.t()) :: User.t()
  def get_user!(id), do: Repo.get!(User, id)

-  @spec list_users_by_role(atom()) :: [User.t()]
-  def list_users_by_role(role), do: Repo.all(from u in User, where: u.role == ^role)

-  @spec list_all_users(boolean()) :: [User.t()]
-  def list_all_users(confirmed_users_only \\ true) do
-    if confirmed_users_only do
-      from u in User, where: u.confirmed_at
-    else
-      User
-    end
-    |> Repo.all()
+  @doc """
+  Returns all users for a certain role.
+
+  ## Examples
+
+      iex> list_users_by_role(%User{id: 123, role: :admin})
+      [%User{}]
+
+  """
+  @spec list_users_by_role(:admin | :user) :: [User.t()]
+  def list_users_by_role(role) do
+    role = role |> to_string()
+    Repo.all(from u in User, where: u.role == ^role)
  end

  ## User registration
@ -253,8 +256,21 @@ defmodule Cannery.Accounts do
    end
  end

-  @spec delete_user!(User.t()) :: User.t()
-  def delete_user!(user), do: user |> Repo.delete!()
+  @doc """
+  Deletes a user. must be performed by an admin or the same user!
+
+  ## Examples
+
+      iex> delete_user!(user_to_delete, %User{id: 123, role: :admin})
+      %User{}
+
+      iex> delete_user!(%User{id: 123}, %User{id: 123})
+      %User{}
+
+  """
+  @spec delete_user!(User.t(), User.t()) :: User.t()
+  def delete_user!(user, %User{role: :admin}), do: user |> Repo.delete!()
+  def delete_user!(%User{id: user_id} = user, %User{id: user_id}), do: user |> Repo.delete!()

  ## Session

--- a/lib/cannery_web/controllers/user_settings_controller.ex
+++ b/lib/cannery_web/controllers/user_settings_controller.ex
@ -70,9 +70,9 @@ defmodule CanneryWeb.UserSettingsController do
    end
  end

-  def delete(conn, %{"id" => user_id}) do
-    if user_id == conn.assigns.current_user.id do
-      Accounts.delete_user!(conn.assigns.current_user)
+  def delete(%{assigns: %{current_user: current_user}} = conn, %{"id" => user_id}) do
+    if user_id == current_user.id do
+      current_user |> Accounts.delete_user!(current_user)

      conn
      |> put_flash(:error, dgettext("prompts", "Your account has been deleted"))
--- a/priv/gettext/prompts.pot
+++ b/priv/gettext/prompts.pot
@ -103,10 +103,10 @@ msgid "Saving..."
 msgstr ""

 #, elixir-format, ex-autogen
-#: lib/cannery_web/components/tag_card.ex:33
 #: lib/cannery_web/live/ammo_type_live/show.html.heex:26
 #: lib/cannery_web/live/container_live/index.html.heex:36
 #: lib/cannery_web/live/container_live/show.html.heex:36
+#: lib/cannery_web/live/tag_live/index.html.heex:36
 msgid "Are you sure you want to delete %{name}?"
 msgstr ""