From 332f92a02feccb4fdbd3adc22e38682fcae73c23 Mon Sep 17 00:00:00 2001 From: shibao Date: Sat, 12 Feb 2022 00:34:11 -0500 Subject: [PATCH] harden account deletion --- lib/cannery/accounts.ex | 40 +++++++++++++------ .../controllers/user_settings_controller.ex | 6 +-- priv/gettext/prompts.pot | 2 +- 3 files changed, 32 insertions(+), 16 deletions(-) diff --git a/lib/cannery/accounts.ex b/lib/cannery/accounts.ex index d4256e1..e89426b 100644 --- a/lib/cannery/accounts.ex +++ b/lib/cannery/accounts.ex @@ -63,17 +63,20 @@ defmodule Cannery.Accounts do @spec get_user!(User.t()) :: User.t() def get_user!(id), do: Repo.get!(User, id) - @spec list_users_by_role(atom()) :: [User.t()] - def list_users_by_role(role), do: Repo.all(from u in User, where: u.role == ^role) - @spec list_all_users(boolean()) :: [User.t()] - def list_all_users(confirmed_users_only \\ true) do - if confirmed_users_only do - from u in User, where: u.confirmed_at - else - User - end - |> Repo.all() + @doc """ + Returns all users for a certain role. + + ## Examples + + iex> list_users_by_role(%User{id: 123, role: :admin}) + [%User{}] + + """ + @spec list_users_by_role(:admin | :user) :: [User.t()] + def list_users_by_role(role) do + role = role |> to_string() + Repo.all(from u in User, where: u.role == ^role) end ## User registration @@ -253,8 +256,21 @@ defmodule Cannery.Accounts do end end - @spec delete_user!(User.t()) :: User.t() - def delete_user!(user), do: user |> Repo.delete!() + @doc """ + Deletes a user. must be performed by an admin or the same user! + + ## Examples + + iex> delete_user!(user_to_delete, %User{id: 123, role: :admin}) + %User{} + + iex> delete_user!(%User{id: 123}, %User{id: 123}) + %User{} + + """ + @spec delete_user!(User.t(), User.t()) :: User.t() + def delete_user!(user, %User{role: :admin}), do: user |> Repo.delete!() + def delete_user!(%User{id: user_id} = user, %User{id: user_id}), do: user |> Repo.delete!() ## Session diff --git a/lib/cannery_web/controllers/user_settings_controller.ex b/lib/cannery_web/controllers/user_settings_controller.ex index df6f4ba..e3d3ffb 100644 --- a/lib/cannery_web/controllers/user_settings_controller.ex +++ b/lib/cannery_web/controllers/user_settings_controller.ex @@ -70,9 +70,9 @@ defmodule CanneryWeb.UserSettingsController do end end - def delete(conn, %{"id" => user_id}) do - if user_id == conn.assigns.current_user.id do - Accounts.delete_user!(conn.assigns.current_user) + def delete(%{assigns: %{current_user: current_user}} = conn, %{"id" => user_id}) do + if user_id == current_user.id do + current_user |> Accounts.delete_user!(current_user) conn |> put_flash(:error, dgettext("prompts", "Your account has been deleted")) diff --git a/priv/gettext/prompts.pot b/priv/gettext/prompts.pot index afca47d..8349a33 100644 --- a/priv/gettext/prompts.pot +++ b/priv/gettext/prompts.pot @@ -103,10 +103,10 @@ msgid "Saving..." msgstr "" #, elixir-format, ex-autogen -#: lib/cannery_web/components/tag_card.ex:33 #: lib/cannery_web/live/ammo_type_live/show.html.heex:26 #: lib/cannery_web/live/container_live/index.html.heex:36 #: lib/cannery_web/live/container_live/show.html.heex:36 +#: lib/cannery_web/live/tag_live/index.html.heex:36 msgid "Are you sure you want to delete %{name}?" msgstr ""