You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user is not either an :admin or :superuser, accessing the User Management page (list of all users, editing a user that isn't themselves) should result in a Permission Denied page.
We need to determine a clean way of handling authorisation failures, with the equivalent of a 401 in LiveView.
We've had some success using BodyGuard, and think it makes sense to implement it here.
We can start with a simple UserPolicy module which has :view_all matcher, for more info see the BodyGuard docs.
If Stu picks this up, please talk it through with Elias when you're done.
As a superuser, I should be able to access the User management page (create, edit, etc).
As a regular user, I cannot see the user management page.
The text was updated successfully, but these errors were encountered:
When a user is not either an
:admin
or:superuser
, accessing the User Management page (list of all users, editing a user that isn't themselves) should result in a Permission Denied page.We need to determine a clean way of handling authorisation failures, with the equivalent of a 401 in LiveView.
We've had some success using
BodyGuard
, and think it makes sense to implement it here.We can start with a simple
UserPolicy
module which has:view_all
matcher, for more info see the BodyGuard docs.If Stu picks this up, please talk it through with Elias when you're done.
As a superuser, I should be able to access the User management page (create, edit, etc).
As a regular user, I cannot see the user management page.
The text was updated successfully, but these errors were encountered: