From 2f67c7099d0b6dfb5a9d5443ddf76644683a7b4d Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 3 Feb 2026 16:35:32 +0100
Subject: [PATCH] Apply UI authorization to User LiveViews (Index and Show)

Gate New User button, Edit and Delete links with can?/3.
Edit button on User Show visible only when user can update the user.
---
 lib/mv_web/live/user_live/index.html.heex | 26 ++++++++++++++---------
 lib/mv_web/live/user_live/show.ex         |  8 ++++---
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/lib/mv_web/live/user_live/index.html.heex b/lib/mv_web/live/user_live/index.html.heex
index 9314f1e..dcb2e83 100644
--- a/lib/mv_web/live/user_live/index.html.heex
+++ b/lib/mv_web/live/user_live/index.html.heex
@@ -2,9 +2,11 @@
   <.header>
     {gettext("Listing Users")}
     <:actions>
-      <.button variant="primary" navigate={~p"/users/new"}>
-        <.icon name="hero-plus" /> {gettext("New User")}
-      </.button>
+      <%= if can?(@current_user, :create, Mv.Accounts.User) do %>
+        <.button variant="primary" navigate={~p"/users/new"}>
+          <.icon name="hero-plus" /> {gettext("New User")}
+        </.button>
+      <% end %>
     </:actions>
   </.header>
 
@@ -62,16 +64,20 @@
         <.link navigate={~p"/users/#{user}"}>{gettext("Show")}</.link>
       </div>
 
-      <.link navigate={~p"/users/#{user}/edit"}>{gettext("Edit")}</.link>
+      <%= if can?(@current_user, :update, user) do %>
+        <.link navigate={~p"/users/#{user}/edit"}>{gettext("Edit")}</.link>
+      <% end %>
     </:action>
 
     <:action :let={user}>
-      <.link
-        phx-click={JS.push("delete", value: %{id: user.id}) |> hide("#row-#{user.id}")}
-        data-confirm={gettext("Are you sure?")}
-      >
-        {gettext("Delete")}
-      </.link>
+      <%= if can?(@current_user, :destroy, user) do %>
+        <.link
+          phx-click={JS.push("delete", value: %{id: user.id}) |> hide("#row-#{user.id}")}
+          data-confirm={gettext("Are you sure?")}
+        >
+          {gettext("Delete")}
+        </.link>
+      <% end %>
     </:action>
   </.table>
 </Layouts.app>
diff --git a/lib/mv_web/live/user_live/show.ex b/lib/mv_web/live/user_live/show.ex
index e961d84..fa4f186 100644
--- a/lib/mv_web/live/user_live/show.ex
+++ b/lib/mv_web/live/user_live/show.ex
@@ -41,9 +41,11 @@ defmodule MvWeb.UserLive.Show do
             <.icon name="hero-arrow-left" />
             <span class="sr-only">{gettext("Back to users list")}</span>
           </.button>
-          <.button variant="primary" navigate={~p"/users/#{@user}/edit?return_to=show"}>
-            <.icon name="hero-pencil-square" /> {gettext("Edit User")}
-          </.button>
+          <%= if can?(@current_user, :update, @user) do %>
+            <.button variant="primary" navigate={~p"/users/#{@user}/edit?return_to=show"}>
+              <.icon name="hero-pencil-square" /> {gettext("Edit User")}
+            </.button>
+          <% end %>
         </:actions>
       </.header>