Don't allow unpriv in live views

2026-03-21 18:41:38 +00:00 · 2021-12-22 16:21:43 -06:00
parent 0b3d798934
commit a73e83410e
13 changed files with 121 additions and 46 deletions
--- a/apps/fz_http/lib/fz_http_web/controller_helpers.ex
+++ b/apps/fz_http/lib/fz_http_web/controller_helpers.ex
@@ -13,6 +13,7 @@ defmodule FzHttpWeb.ControllerHelpers do

  import Phoenix.Controller,
    only: [
+      put_flash: 3,
      redirect: 2
    ]

@@ -31,15 +32,33 @@ defmodule FzHttpWeb.ControllerHelpers do
    end
  end

-  def root_path_for_role(conn) do
+  def authorize_authenticated(conn, _options) do
    user = Users.get_user!(get_session(conn, :user_id))

+    case user.role do
+      :unprivileged ->
+        conn
+        |> put_flash(:error, "Not authorized.")
+        |> redirect(to: root_path_for_role(conn, user))
+        |> halt()
+
+      :admin ->
+        conn
+    end
+  end
+
+  def root_path_for_role(conn) do
+    user = Users.get_user!(get_session(conn, :user_id))
+    root_path_for_role(conn, user)
+  end
+
+  def root_path_for_role(conn, user) do
    case user.role do
      :unprivileged ->
        Routes.user_path(conn, :show)

      :admin ->
-        Routes.device_path(conn, :index)
+        Routes.device_index_path(conn, :index)

      _ ->
        Routes.session_path(conn, :new)
--- a/apps/fz_http/lib/fz_http_web/controllers/device_controller.ex
+++ b/apps/fz_http/lib/fz_http_web/controllers/device_controller.ex
@@ -8,11 +8,7 @@ defmodule FzHttpWeb.DeviceController do
  alias FzHttp.Devices

  plug :redirect_unauthenticated, except: [:config]
-
-  def index(conn, _params) do
-    conn
-    |> redirect(to: Routes.device_index_path(conn, :index))
-  end
+  plug :authorize_authenticated, except: [:config]

  def download_config(conn, %{"id" => device_id}) do
    device = Devices.get_device!(device_id)
--- a/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex
+++ b/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex
@@ -0,0 +1,13 @@
+defmodule FzHttpWeb.RootController do
+  @moduledoc """
+  Handles redirecting from /
+  """
+  use FzHttpWeb, :controller
+
+  plug :redirect_unauthenticated
+
+  def index(conn, _params) do
+    conn
+    |> redirect(to: root_path_for_role(conn))
+  end
+end
--- a/apps/fz_http/lib/fz_http_web/controllers/session_controller.ex
+++ b/apps/fz_http/lib/fz_http_web/controllers/session_controller.ex
@@ -3,7 +3,7 @@ defmodule FzHttpWeb.SessionController do
  Implements the CRUD for a Session
  """

-  alias FzHttp.{Sessions, Users, Users.Session}
+  alias FzHttp.{Sessions, Users}
  use FzHttpWeb, :controller

  plug :put_root_layout, "auth.html"
@@ -31,22 +31,14 @@ defmodule FzHttpWeb.SessionController do

      record ->
        case Sessions.create_session(record, %{email: email, password: password}) do
-          {:ok, %Session{role: :unprivileged} = session} ->
-            conn
-            |> clear_session()
-            |> assign(:current_session, session)
-            |> activate_vpn()
-            |> put_session(:user_id, session.id)
-            |> redirect(to: Routes.user_path(conn, :show))
-
-          {:ok, %Session{role: :admin} = session} ->
+          {:ok, session} ->
            conn
            |> clear_session()
            |> assign(:current_session, session)
            |> activate_vpn()
            |> put_session(:user_id, session.id)
            |> put_session(:live_socket_id, "users_socket:#{session.id}")
-            |> redirect(to: Routes.device_path(conn, :index))
+            |> redirect(to: Routes.root_path(conn, :index))

          {:error, _changeset} ->
            conn
@@ -65,7 +57,7 @@ defmodule FzHttpWeb.SessionController do
        |> clear_session()
        |> put_session(:user_id, user.id)
        |> put_session(:live_socket_id, "users_socket:#{user.id}")
-        |> redirect(to: Routes.device_path(conn, :index))
+        |> redirect(to: Routes.device_index_path(conn, :index))

      {:error, error_msg} ->
        conn
--- a/apps/fz_http/lib/fz_http_web/live/account_live/show_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/account_live/show_live.ex
@@ -20,7 +20,13 @@ defmodule FzHttpWeb.AccountLive.Show do
  end

  defp load_data(_params, socket) do
-    socket
-    |> assign(:changeset, Users.change_user(socket.assigns.current_user))
+    user = socket.assigns.current_user
+
+    if user.role == :admin do
+      socket
+      |> assign(:changeset, Users.change_user(socket.assigns.current_user))
+    else
+      not_authorized(socket)
+    end
  end
 end
--- a/apps/fz_http/lib/fz_http_web/live/connectivity_check_live/index_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/connectivity_check_live/index_live.ex
@@ -15,6 +15,13 @@ defmodule FzHttpWeb.ConnectivityCheckLive.Index do
  end

  defp load_data(_params, socket) do
-    assign(socket, :connectivity_checks, ConnectivityChecks.list_connectivity_checks(limit: 20))
+    user = socket.assigns.current_user
+
+    if user.role == :admin do
+      socket
+      |> assign(:connectivity_checks, ConnectivityChecks.list_connectivity_checks(limit: 20))
+    else
+      not_authorized(socket)
+    end
  end
 end
--- a/apps/fz_http/lib/fz_http_web/live/device_live/index_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/device_live/index_live.ex
@@ -42,6 +42,13 @@ defmodule FzHttpWeb.DeviceLive.Index do
  end

  defp load_data(_params, socket) do
-    assign(socket, :devices, Devices.list_devices())
+    # XXX: Update this to use new LiveView session auth
+    user = socket.assigns.current_user
+
+    if user.role == :admin do
+      assign(socket, :devices, Devices.list_devices())
+    else
+      not_authorized(socket)
+    end
  end
 end
--- a/apps/fz_http/lib/fz_http_web/live/rule_live/index_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/rule_live/index_live.ex
@@ -7,7 +7,17 @@ defmodule FzHttpWeb.RuleLive.Index do
  def mount(params, session, socket) do
    {:ok,
     socket
-     |> assign_defaults(params, session)
-     |> assign(:page_title, "Egress Rules")}
+     |> assign_defaults(params, session, &load_data/2)}
+  end
+
+  defp load_data(_params, socket) do
+    user = socket.assigns.current_user
+
+    if user.role == :admin do
+      socket
+      |> assign(:page_title, "Egress Rules")
+    else
+      not_authorized(socket)
+    end
  end
 end
--- a/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex
@@ -28,11 +28,7 @@ defmodule FzHttpWeb.SettingLive.Default do
  def mount(params, session, socket) do
    {:ok,
     socket
-     |> assign_defaults(params, session)
-     |> assign(:help_texts, @help_texts)
-     |> assign(:changesets, load_changesets())
-     |> assign(:endpoint_placeholder, endpoint_placeholder())
-     |> assign(:page_title, "Default Settings")}
+     |> assign_defaults(params, session, &load_data/2)}
  end

  defp endpoint_placeholder do
@@ -43,4 +39,18 @@ defmodule FzHttpWeb.SettingLive.Default do
    Settings.to_list("default.")
    |> Map.new(fn setting -> {setting.key, Settings.change_setting(setting)} end)
  end
+
+  defp load_data(_params, socket) do
+    user = socket.assigns.current_user
+
+    if user.role == :admin do
+      socket
+      |> assign(:changesets, load_changesets())
+      |> assign(:help_texts, @help_texts)
+      |> assign(:endpoint_placeholder, endpoint_placeholder())
+      |> assign(:page_title, "Default Settings")
+    else
+      not_authorized(socket)
+    end
+  end
 end
--- a/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex
@@ -21,10 +21,16 @@ defmodule FzHttpWeb.UserLive.Index do
  end

  defp load_data(_params, socket) do
-    assign(
-      socket,
-      :users,
-      Users.list_users(:with_device_counts)
-    )
+    user = socket.assigns.current_user
+
+    if user.role == :admin do
+      assign(
+        socket,
+        :users,
+        Users.list_users(:with_device_counts)
+      )
+    else
+      not_authorized(socket)
+    end
  end
 end
--- a/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex
@@ -15,14 +15,6 @@ defmodule FzHttpWeb.UserLive.Show do
     |> assign_defaults(params, session, &load_data/2)}
  end

-  defp load_data(params, socket) do
-    user = Users.get_user!(params["id"])
-
-    socket
-    |> assign(:devices, Devices.list_devices(user))
-    |> assign(:user, user)
-  end
-
  @impl Phoenix.LiveView
  def handle_params(_params, _url, socket) do
    {:noreply, socket}
@@ -88,4 +80,16 @@ defmodule FzHttpWeb.UserLive.Show do
         )}
    end
  end
+
+  defp load_data(params, socket) do
+    user = Users.get_user!(params["id"])
+
+    if socket.assigns.current_user.role == :admin do
+      socket
+      |> assign(:devices, Devices.list_devices(user))
+      |> assign(:user, user)
+    else
+      not_authorized(socket)
+    end
+  end
 end
--- a/apps/fz_http/lib/fz_http_web/live_helpers.ex
+++ b/apps/fz_http/lib/fz_http_web/live_helpers.ex
@@ -7,7 +7,8 @@ defmodule FzHttpWeb.LiveHelpers do
  import Phoenix.LiveView
  import Phoenix.LiveView.Helpers
  alias FzHttp.Users
-  alias FzHttpWeb.Router.Helpers, as: Routes
+
+  import FzHttpWeb.ControllerHelpers, only: [root_path_for_role: 2]

  @doc """
  Load user into socket assigns and call the callback function if provided.
@@ -35,9 +36,12 @@ defmodule FzHttpWeb.LiveHelpers do
  end

  def not_authorized(socket) do
+    # XXX: Update this to use new LiveView session auth
+    user = socket.assigns.current_user
+
    socket
    |> put_flash(:error, "Not authorized.")
-    |> redirect(to: Routes.session_path(socket, :new))
+    |> redirect(to: root_path_for_role(socket, user))
  end

  def live_modal(component, opts) do
--- a/apps/fz_http/lib/fz_http_web/router.ex
+++ b/apps/fz_http/lib/fz_http_web/router.ex
@@ -35,7 +35,6 @@ defmodule FzHttpWeb.Router do
    live "/devices/:id", DeviceLive.Show, :show
    live "/devices/:id/edit", DeviceLive.Show, :edit
    get "/devices/:id/dl", DeviceController, :download_config
-    get "/", DeviceController, :index
    get "/device_config/:config_token", DeviceController, :config
    get "/device_config/:config_token/dl", DeviceController, :download_shared_config

@@ -51,5 +50,7 @@ defmodule FzHttpWeb.Router do
    get "/sign_in/:token", SessionController, :create
    delete "/user", UserController, :delete
    get "/user", UserController, :show
+
+    get "/", RootController, :index
  end
 end