diff --git a/apps/fz_http/lib/fz_http_web/controller_helpers.ex b/apps/fz_http/lib/fz_http_web/controller_helpers.ex index 3648a886e..5f6d66d79 100644 --- a/apps/fz_http/lib/fz_http_web/controller_helpers.ex +++ b/apps/fz_http/lib/fz_http_web/controller_helpers.ex @@ -13,6 +13,7 @@ defmodule FzHttpWeb.ControllerHelpers do import Phoenix.Controller, only: [ + put_flash: 3, redirect: 2 ] @@ -31,15 +32,33 @@ defmodule FzHttpWeb.ControllerHelpers do end end - def root_path_for_role(conn) do + def authorize_authenticated(conn, _options) do user = Users.get_user!(get_session(conn, :user_id)) + case user.role do + :unprivileged -> + conn + |> put_flash(:error, "Not authorized.") + |> redirect(to: root_path_for_role(conn, user)) + |> halt() + + :admin -> + conn + end + end + + def root_path_for_role(conn) do + user = Users.get_user!(get_session(conn, :user_id)) + root_path_for_role(conn, user) + end + + def root_path_for_role(conn, user) do case user.role do :unprivileged -> Routes.user_path(conn, :show) :admin -> - Routes.device_path(conn, :index) + Routes.device_index_path(conn, :index) _ -> Routes.session_path(conn, :new) diff --git a/apps/fz_http/lib/fz_http_web/controllers/device_controller.ex b/apps/fz_http/lib/fz_http_web/controllers/device_controller.ex index b4ff91695..b4f6275a4 100644 --- a/apps/fz_http/lib/fz_http_web/controllers/device_controller.ex +++ b/apps/fz_http/lib/fz_http_web/controllers/device_controller.ex @@ -8,11 +8,7 @@ defmodule FzHttpWeb.DeviceController do alias FzHttp.Devices plug :redirect_unauthenticated, except: [:config] - - def index(conn, _params) do - conn - |> redirect(to: Routes.device_index_path(conn, :index)) - end + plug :authorize_authenticated, except: [:config] def download_config(conn, %{"id" => device_id}) do device = Devices.get_device!(device_id) diff --git a/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex b/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex new file mode 100644 index 000000000..d81a8b251 --- /dev/null +++ b/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex @@ -0,0 +1,13 @@ +defmodule FzHttpWeb.RootController do + @moduledoc """ + Handles redirecting from / + """ + use FzHttpWeb, :controller + + plug :redirect_unauthenticated + + def index(conn, _params) do + conn + |> redirect(to: root_path_for_role(conn)) + end +end diff --git a/apps/fz_http/lib/fz_http_web/controllers/session_controller.ex b/apps/fz_http/lib/fz_http_web/controllers/session_controller.ex index 8ea8a3f5f..a53763c8c 100644 --- a/apps/fz_http/lib/fz_http_web/controllers/session_controller.ex +++ b/apps/fz_http/lib/fz_http_web/controllers/session_controller.ex @@ -3,7 +3,7 @@ defmodule FzHttpWeb.SessionController do Implements the CRUD for a Session """ - alias FzHttp.{Sessions, Users, Users.Session} + alias FzHttp.{Sessions, Users} use FzHttpWeb, :controller plug :put_root_layout, "auth.html" @@ -31,22 +31,14 @@ defmodule FzHttpWeb.SessionController do record -> case Sessions.create_session(record, %{email: email, password: password}) do - {:ok, %Session{role: :unprivileged} = session} -> - conn - |> clear_session() - |> assign(:current_session, session) - |> activate_vpn() - |> put_session(:user_id, session.id) - |> redirect(to: Routes.user_path(conn, :show)) - - {:ok, %Session{role: :admin} = session} -> + {:ok, session} -> conn |> clear_session() |> assign(:current_session, session) |> activate_vpn() |> put_session(:user_id, session.id) |> put_session(:live_socket_id, "users_socket:#{session.id}") - |> redirect(to: Routes.device_path(conn, :index)) + |> redirect(to: Routes.root_path(conn, :index)) {:error, _changeset} -> conn @@ -65,7 +57,7 @@ defmodule FzHttpWeb.SessionController do |> clear_session() |> put_session(:user_id, user.id) |> put_session(:live_socket_id, "users_socket:#{user.id}") - |> redirect(to: Routes.device_path(conn, :index)) + |> redirect(to: Routes.device_index_path(conn, :index)) {:error, error_msg} -> conn diff --git a/apps/fz_http/lib/fz_http_web/live/account_live/show_live.ex b/apps/fz_http/lib/fz_http_web/live/account_live/show_live.ex index 3673f43c7..b81f0fe13 100644 --- a/apps/fz_http/lib/fz_http_web/live/account_live/show_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/account_live/show_live.ex @@ -20,7 +20,13 @@ defmodule FzHttpWeb.AccountLive.Show do end defp load_data(_params, socket) do - socket - |> assign(:changeset, Users.change_user(socket.assigns.current_user)) + user = socket.assigns.current_user + + if user.role == :admin do + socket + |> assign(:changeset, Users.change_user(socket.assigns.current_user)) + else + not_authorized(socket) + end end end diff --git a/apps/fz_http/lib/fz_http_web/live/connectivity_check_live/index_live.ex b/apps/fz_http/lib/fz_http_web/live/connectivity_check_live/index_live.ex index 1f5cac6cd..83af77abe 100644 --- a/apps/fz_http/lib/fz_http_web/live/connectivity_check_live/index_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/connectivity_check_live/index_live.ex @@ -15,6 +15,13 @@ defmodule FzHttpWeb.ConnectivityCheckLive.Index do end defp load_data(_params, socket) do - assign(socket, :connectivity_checks, ConnectivityChecks.list_connectivity_checks(limit: 20)) + user = socket.assigns.current_user + + if user.role == :admin do + socket + |> assign(:connectivity_checks, ConnectivityChecks.list_connectivity_checks(limit: 20)) + else + not_authorized(socket) + end end end diff --git a/apps/fz_http/lib/fz_http_web/live/device_live/index_live.ex b/apps/fz_http/lib/fz_http_web/live/device_live/index_live.ex index 279b55d5b..833efb542 100644 --- a/apps/fz_http/lib/fz_http_web/live/device_live/index_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/device_live/index_live.ex @@ -42,6 +42,13 @@ defmodule FzHttpWeb.DeviceLive.Index do end defp load_data(_params, socket) do - assign(socket, :devices, Devices.list_devices()) + # XXX: Update this to use new LiveView session auth + user = socket.assigns.current_user + + if user.role == :admin do + assign(socket, :devices, Devices.list_devices()) + else + not_authorized(socket) + end end end diff --git a/apps/fz_http/lib/fz_http_web/live/rule_live/index_live.ex b/apps/fz_http/lib/fz_http_web/live/rule_live/index_live.ex index 5d429b33a..ccab8c3ac 100644 --- a/apps/fz_http/lib/fz_http_web/live/rule_live/index_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/rule_live/index_live.ex @@ -7,7 +7,17 @@ defmodule FzHttpWeb.RuleLive.Index do def mount(params, session, socket) do {:ok, socket - |> assign_defaults(params, session) - |> assign(:page_title, "Egress Rules")} + |> assign_defaults(params, session, &load_data/2)} + end + + defp load_data(_params, socket) do + user = socket.assigns.current_user + + if user.role == :admin do + socket + |> assign(:page_title, "Egress Rules") + else + not_authorized(socket) + end end end diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex b/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex index 60e63919f..1cac432d5 100644 --- a/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex @@ -28,11 +28,7 @@ defmodule FzHttpWeb.SettingLive.Default do def mount(params, session, socket) do {:ok, socket - |> assign_defaults(params, session) - |> assign(:help_texts, @help_texts) - |> assign(:changesets, load_changesets()) - |> assign(:endpoint_placeholder, endpoint_placeholder()) - |> assign(:page_title, "Default Settings")} + |> assign_defaults(params, session, &load_data/2)} end defp endpoint_placeholder do @@ -43,4 +39,18 @@ defmodule FzHttpWeb.SettingLive.Default do Settings.to_list("default.") |> Map.new(fn setting -> {setting.key, Settings.change_setting(setting)} end) end + + defp load_data(_params, socket) do + user = socket.assigns.current_user + + if user.role == :admin do + socket + |> assign(:changesets, load_changesets()) + |> assign(:help_texts, @help_texts) + |> assign(:endpoint_placeholder, endpoint_placeholder()) + |> assign(:page_title, "Default Settings") + else + not_authorized(socket) + end + end end diff --git a/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex b/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex index 43a9b8b7b..5d4234e26 100644 --- a/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex @@ -21,10 +21,16 @@ defmodule FzHttpWeb.UserLive.Index do end defp load_data(_params, socket) do - assign( - socket, - :users, - Users.list_users(:with_device_counts) - ) + user = socket.assigns.current_user + + if user.role == :admin do + assign( + socket, + :users, + Users.list_users(:with_device_counts) + ) + else + not_authorized(socket) + end end end diff --git a/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex b/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex index 8e3959e5c..546db7b1d 100644 --- a/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex @@ -15,14 +15,6 @@ defmodule FzHttpWeb.UserLive.Show do |> assign_defaults(params, session, &load_data/2)} end - defp load_data(params, socket) do - user = Users.get_user!(params["id"]) - - socket - |> assign(:devices, Devices.list_devices(user)) - |> assign(:user, user) - end - @impl Phoenix.LiveView def handle_params(_params, _url, socket) do {:noreply, socket} @@ -88,4 +80,16 @@ defmodule FzHttpWeb.UserLive.Show do )} end end + + defp load_data(params, socket) do + user = Users.get_user!(params["id"]) + + if socket.assigns.current_user.role == :admin do + socket + |> assign(:devices, Devices.list_devices(user)) + |> assign(:user, user) + else + not_authorized(socket) + end + end end diff --git a/apps/fz_http/lib/fz_http_web/live_helpers.ex b/apps/fz_http/lib/fz_http_web/live_helpers.ex index d6cdad2ca..9ba7b87a7 100644 --- a/apps/fz_http/lib/fz_http_web/live_helpers.ex +++ b/apps/fz_http/lib/fz_http_web/live_helpers.ex @@ -7,7 +7,8 @@ defmodule FzHttpWeb.LiveHelpers do import Phoenix.LiveView import Phoenix.LiveView.Helpers alias FzHttp.Users - alias FzHttpWeb.Router.Helpers, as: Routes + + import FzHttpWeb.ControllerHelpers, only: [root_path_for_role: 2] @doc """ Load user into socket assigns and call the callback function if provided. @@ -35,9 +36,12 @@ defmodule FzHttpWeb.LiveHelpers do end def not_authorized(socket) do + # XXX: Update this to use new LiveView session auth + user = socket.assigns.current_user + socket |> put_flash(:error, "Not authorized.") - |> redirect(to: Routes.session_path(socket, :new)) + |> redirect(to: root_path_for_role(socket, user)) end def live_modal(component, opts) do diff --git a/apps/fz_http/lib/fz_http_web/router.ex b/apps/fz_http/lib/fz_http_web/router.ex index 26fa0b393..879c8ad07 100644 --- a/apps/fz_http/lib/fz_http_web/router.ex +++ b/apps/fz_http/lib/fz_http_web/router.ex @@ -35,7 +35,6 @@ defmodule FzHttpWeb.Router do live "/devices/:id", DeviceLive.Show, :show live "/devices/:id/edit", DeviceLive.Show, :edit get "/devices/:id/dl", DeviceController, :download_config - get "/", DeviceController, :index get "/device_config/:config_token", DeviceController, :config get "/device_config/:config_token/dl", DeviceController, :download_shared_config @@ -51,5 +50,7 @@ defmodule FzHttpWeb.Router do get "/sign_in/:token", SessionController, :create delete "/user", UserController, :delete get "/user", UserController, :show + + get "/", RootController, :index end end