cpjk / canary

:hatching_chick: Elixir authorization and resource-loading library for Plug applications.
MIT License
474 stars 51 forks source link

Adding permissions for nested models #67

Closed Secretmapper closed 7 years ago

Secretmapper commented 7 years ago

Sorry if this has been addressed in the docs, but I can't seem to find it.

How do we add a permission for 'nested' models? For example, imagine a User, a Project, and Tasks:

task.project_id -> project.user_id -> user.id

I only want the user to be able to see, edit, etc. tasks if he owns the project.

slashmili commented 7 years ago

I did it by adding two plugs. for the route like /projects/10/tasks/20

plug :authorize_resource, model: Project, persisted: true, id_name: "project_id"
plug :authorize_resource, model: Task
cpjk commented 7 years ago

To add to @slashmili's answer, if you want a more custom authorization solution, it is fairly simple to implement yourself using custom plugs e.g. how it is done in https://github.com/cpjk/canary/blob/master/lib/canary/plugs.ex#L155-L170 :smile_cat: