Help when creating access permissions with Pow

[gilbertobr]

Could help me create a function where Only the standard user "user" (can change only his own record?) If this user is not the same, show an alert?

I'm using Pow, I'm really enjoying it. However, I wanted to find a better way to create these permissions.

Canada, show me an example https://github.com/jarednorman/canada

How would you put that on Pow, though?

[Schultzer]

Personally I feel this kind of issue is out of scope and I know that this is probably not the answer you are looking for.

1) Permissions are a business decision and Pow don't care about this, Pow only takes care of authentication and not authorization, You can create a custom context to control what should happen before or after the pow plugs and controller calls your context, you can also add whatever you need to your schema and override the changeset function to cast things that pow is not aware of. https://github.com/danschultzer/pow#powecto

2) A better place to ask for help with design would be on the Elixir forum or Slack

[danschultzer]

Only the standard user "user" (can change only his own record?)

Depends on how you handle it, but normally you wouldn't need an authorization/permissions check for this, but instead just have a singleton resource where you pull the current user with Pow.Plug.current_user/1 and update that. This way you can't update any other, but your own records.

If it's because you'll have a resources endpoint where the user can view all other users, but only update their own you should deal with it just checking that Pow.Plug.current_user/1 is the same as the user (as shown with the canada lib).

You should deal with permissions in the controller, and redirect with an error flash.