diff --git a/lib/mv_web/live/group_live/show.ex b/lib/mv_web/live/group_live/show.ex
index 6b98da6..8114fa5 100644
--- a/lib/mv_web/live/group_live/show.ex
+++ b/lib/mv_web/live/group_live/show.ex
@@ -172,7 +172,8 @@ defmodule MvWeb.GroupLive.Show do
{ngettext(
"This group has %{count} member. All member-group associations will be permanently deleted.",
"This group has %{count} members. All member-group associations will be permanently deleted.",
- @group.member_count
+ @group.member_count,
+ count: @group.member_count
)}
@@ -186,7 +187,7 @@ defmodule MvWeb.GroupLive.Show do
{@group.name}
-
@@ -243,29 +245,23 @@ defmodule MvWeb.GroupLive.Show do
def handle_event("confirm_delete", %{"slug" => slug}, socket) do
actor = current_actor(socket)
+ group = socket.assigns.group
- # Server-side authorization check to prevent unauthorized delete attempts
- if can?(actor, :destroy, Mv.Membership.Group) do
- case Membership.get_group_by_slug(slug, actor: actor, load: []) do
- {:ok, nil} ->
- {:noreply,
- socket
- |> put_flash(:error, gettext("Group not found."))
- |> redirect(to: ~p"/groups")}
-
- {:ok, group} ->
- handle_delete_confirmation(socket, group, actor)
-
- {:error, _error} ->
- {:noreply,
- socket
- |> put_flash(:error, gettext("Failed to load group."))
- |> redirect(to: ~p"/groups")}
+ # Verify slug matches the group in assigns (prevents tampering)
+ if group.slug == slug do
+ # Server-side authorization check on the specific group record
+ if can?(actor, :destroy, group) do
+ handle_delete_confirmation(socket, group, actor)
+ else
+ {:noreply,
+ socket
+ |> put_flash(:error, gettext("Not authorized."))
+ |> redirect(to: ~p"/groups")}
end
else
{:noreply,
socket
- |> put_flash(:error, gettext("Not authorized."))
+ |> put_flash(:error, gettext("Group not found."))
|> redirect(to: ~p"/groups")}
end
end