Apply UI authorization to Member LiveViews (Index and Show)

Gate New Member button, Edit and Delete links with can?/3. Edit button on Member Show visible only when user can update the member.
2026-02-03 16:35:29 +01:00 · 2026-02-03 16:35:29 +01:00 · 505e31653a
commit 505e31653a
parent d3ad7c5013
2 changed files with 21 additions and 13 deletions
--- a/lib/mv_web/live/member_live/index.html.heex
+++ b/lib/mv_web/live/member_live/index.html.heex
@ -23,9 +23,11 @@
        <.icon name="hero-envelope" />
        {gettext("Open in email program")}
      </.button>
-      <.button variant="primary" navigate={~p"/members/new"}>
-        <.icon name="hero-plus" /> {gettext("New Member")}
-      </.button>
+      <%= if can?(@current_user, :create, Mv.Membership.Member) do %>
+        <.button variant="primary" navigate={~p"/members/new"}>
+          <.icon name="hero-plus" /> {gettext("New Member")}
+        </.button>
+      <% end %>
    </:actions>
  </.header>

@ -297,16 +299,20 @@
        <.link navigate={~p"/members/#{member}"}>{gettext("Show")}</.link>
      </div>

-      <.link navigate={~p"/members/#{member}/edit"}>{gettext("Edit")}</.link>
+      <%= if can?(@current_user, :update, member) do %>
+        <.link navigate={~p"/members/#{member}/edit"}>{gettext("Edit")}</.link>
+      <% end %>
    </:action>

    <:action :let={member}>
-      <.link
-        phx-click={JS.push("delete", value: %{id: member.id}) |> hide("#row-#{member.id}")}
-        data-confirm={gettext("Are you sure?")}
-      >
-        {gettext("Delete")}
-      </.link>
+      <%= if can?(@current_user, :destroy, member) do %>
+        <.link
+          phx-click={JS.push("delete", value: %{id: member.id}) |> hide("#row-#{member.id}")}
+          data-confirm={gettext("Are you sure?")}
+        >
+          {gettext("Delete")}
+        </.link>
+      <% end %>
    </:action>
  </.table>
 </Layouts.app>