Add admin users for which LiveDashboard is enabled in prod

This commit is contained in:
Shadowfacts 2021-04-10 14:54:14 -04:00
parent 5235403a19
commit e7211d2042
Signed by: shadowfacts
GPG Key ID: 94A5AB95422746E5
5 changed files with 35 additions and 20 deletions

View File

@ -7,7 +7,8 @@ defmodule Wiki.Accounts.User do
password: String.t() | nil, password: String.t() | nil,
hashed_password: String.t(), hashed_password: String.t(),
confirmed_at: NaiveDateTime.t(), confirmed_at: NaiveDateTime.t(),
content_encryption_key_salt: String.t() content_encryption_key_salt: String.t(),
is_admin: boolean()
} }
@derive {Inspect, except: [:password]} @derive {Inspect, except: [:password]}
@ -17,6 +18,7 @@ defmodule Wiki.Accounts.User do
field :hashed_password, :string field :hashed_password, :string
field :confirmed_at, :naive_datetime field :confirmed_at, :naive_datetime
field :content_encryption_key_salt, :binary field :content_encryption_key_salt, :binary
field :is_admin, :boolean, default: false
timestamps() timestamps()
end end

View File

@ -143,6 +143,19 @@ defmodule WikiWeb.UserAuth do
end end
end end
def require_admin_user(conn, _opts) do
case conn.assigns[:current_user] do
%Accounts.User{is_admin: true} ->
conn
_ ->
conn
|> put_flash(:error, "You must be logged in as an admin to access this page.")
|> redirect(to: "/")
|> halt()
end
end
defp maybe_store_return_to(%{method: "GET", request_path: request_path} = conn) do defp maybe_store_return_to(%{method: "GET", request_path: request_path} = conn) do
put_session(conn, :user_return_to, request_path) put_session(conn, :user_return_to, request_path)
end end

View File

@ -2,6 +2,7 @@ defmodule WikiWeb.Router do
use WikiWeb, :router use WikiWeb, :router
import WikiWeb.UserAuth import WikiWeb.UserAuth
import Phoenix.LiveDashboard.Router
pipeline :browser do pipeline :browser do
plug :accepts, ["html"] plug :accepts, ["html"]
@ -21,22 +22,6 @@ defmodule WikiWeb.Router do
# pipe_through :api # pipe_through :api
# end # end
# Enables LiveDashboard only for development
#
# If you want to use the LiveDashboard in production, you should put
# it behind authentication and allow only admins to access it.
# If your application does not have an admins-only section yet,
# you can use Plug.BasicAuth to set up some basic authentication
# as long as you are also using SSL (which you should anyway).
if Mix.env() in [:dev, :test] do
import Phoenix.LiveDashboard.Router
scope "/" do
pipe_through :browser
live_dashboard "/dashboard", metrics: WikiWeb.Telemetry
end
end
## Authentication routes ## Authentication routes
scope "/", WikiWeb do scope "/", WikiWeb do
@ -68,6 +53,12 @@ defmodule WikiWeb.Router do
delete "/pages/:id/uploads/:upload_id", PageController, :delete_upload delete "/pages/:id/uploads/:upload_id", PageController, :delete_upload
end end
scope "/", WikiWeb do
pipe_through [:browser, :require_authenticated_user, :require_admin_user]
live_dashboard "/dashboard", metrics: WikiWeb.Telemetry
end
scope "/", WikiWeb do scope "/", WikiWeb do
pipe_through [:browser] pipe_through [:browser]

View File

@ -17,10 +17,10 @@
<%= if @current_user do %> <%= if @current_user do %>
<li><%= link "New Page", to: Routes.page_path(@conn, :new) %></li> <li><%= link "New Page", to: Routes.page_path(@conn, :new) %></li>
<li><%= link "Random", to: Routes.page_path(@conn, :random) %></li> <li><%= link "Random", to: Routes.page_path(@conn, :random) %></li>
<% end %> <%= if @current_user.is_admin do %>
<%= if function_exported?(Routes, :live_dashboard_path, 2) do %>
<li><%= link "LiveDashboard", to: Routes.live_dashboard_path(@conn, :home) %></li> <li><%= link "LiveDashboard", to: Routes.live_dashboard_path(@conn, :home) %></li>
<% end %> <% end %>
<% end %>
</ul> </ul>
<%= render "_user_menu.html", assigns %> <%= render "_user_menu.html", assigns %>
</nav> </nav>

View File

@ -0,0 +1,9 @@
defmodule Wiki.Repo.Migrations.UsersAddIsAdmin do
use Ecto.Migration
def change do
alter table(:users) do
add :is_admin, :boolean, default: false
end
end
end