feat: add CheckPagePermission plug for page-level authorization

- Plug checks PermissionSets page list; redirects unauthorized to profile or sign-in. - Router: add plug to :browser pipeline; LiveHelpers: check_page_permission_on_params for client-side navigation (push_patch).
2026-01-29 23:55:58 +01:00 · 2026-01-29 23:55:58 +01:00 · b10b9c893c
commit b10b9c893c
parent d7f6d1c03c
3 changed files with 355 additions and 1 deletions
--- a/lib/mv_web/live_helpers.ex
+++ b/lib/mv_web/live_helpers.ex
@ -5,15 +5,18 @@ defmodule MvWeb.LiveHelpers do
  ## on_mount Hooks
  - `:default` - Sets the user's locale from session (defaults to "de")
  - `:ensure_user_role_loaded` - Ensures current_user has role relationship loaded
  - `:check_page_permission_on_params` - Attaches handle_params hook to enforce page permission on client-side navigation (push_patch)
  ## Usage
  Add to LiveView modules via:
  ```elixir
  on_mount {MvWeb.LiveHelpers, :default}
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  on_mount {MvWeb.LiveHelpers, :check_page_permission_on_params}
  ```
  """
  import Phoenix.Component
  alias MvWeb.Plugs.CheckPagePermission
  def on_mount(:default, _params, session, socket) do
    locale = session["locale"] || "de"
@ -26,6 +29,40 @@ defmodule MvWeb.LiveHelpers do
    {:cont, socket}
  end
  def on_mount(:check_page_permission_on_params, _params, _session, socket) do
    {:cont,
     Phoenix.LiveView.attach_hook(
       socket,
       :check_page_permission,
       :handle_params,
       &check_page_permission_handle_params/3
     )}
  end
  defp check_page_permission_handle_params(_params, uri, socket) do
    path = uri |> URI.parse() |> Map.get(:path, "/") || "/"
    if CheckPagePermission.public_path?(path) do
      {:cont, socket}
    else
      user = socket.assigns[:current_user]
      host = uri |> URI.parse() |> Map.get(:host) || "localhost"
      if CheckPagePermission.user_can_access_page?(user, path, router: MvWeb.Router, host: host) do
        {:cont, socket}
      else
        redirect_to = CheckPagePermission.redirect_target_for_user(user)
        socket =
          socket
          |> Phoenix.LiveView.put_flash(:error, "You don't have permission to access this page.")
          |> Phoenix.LiveView.push_navigate(to: redirect_to)
        {:halt, socket}
      end
    end
  end
  defp ensure_user_role_loaded(socket) do
    user = socket.assigns[:current_user]
--- a/lib/mv_web/plugs/check_page_permission.ex
+++ b/lib/mv_web/plugs/check_page_permission.ex
@ -0,0 +1,315 @@
 defmodule MvWeb.Plugs.CheckPagePermission do
  @moduledoc """
  Plug that checks if the current user has permission to access the requested page.
  Runs in the router pipeline before LiveView mounts. Uses PermissionSets page list
  and matches the current route template (or request path) against allowed patterns.
  ## How It Works
  1. Public paths (e.g. /auth, /register) are exempt and pass through.
  2. Extracts page path from conn via `Phoenix.Router.route_info/4` (route template
     like "/members/:id") or falls back to `conn.request_path`.
  3. Gets current user from `conn.assigns[:current_user]`.
  4. Gets user's permission_set_name from role and calls `PermissionSets.get_permissions/1`.
  5. Matches requested path against allowed patterns (exact, dynamic `:param`, wildcard "*").
  6. If unauthorized: redirects to "/sign-in" (no user) or "/users/:id" (user profile) with flash error and halts.
  ## Pattern Matching
  - Exact: "/members" == "/members"
  - Dynamic: "/members/:id" matches "/members/123"
  - Wildcard: "*" matches everything (admin)
  - Reserved: the segment "new" is never matched by `:id` or `:slug` (e.g. `/members/new` and `/groups/new` require an explicit page permission).
  """
  import Plug.Conn
  import Phoenix.Controller
  alias Mv.Authorization.PermissionSets
  require Logger
  def init(opts), do: opts
  def call(conn, _opts) do
    if public_path?(conn.request_path) do
      conn
    else
      # Ensure role is loaded (load_from_session does not load it; required for permission check)
      user =
        conn.assigns[:current_user]
        |> Mv.Authorization.Actor.ensure_loaded()
      conn = Plug.Conn.assign(conn, :current_user, user)
      page_path = get_page_path(conn)
      request_path = conn.request_path
      if has_page_permission?(user, page_path, request_path) do
        conn
      else
        log_page_access_denied(user, page_path)
        redirect_to = redirect_target(user)
        conn
        |> fetch_session()
        |> fetch_flash()
        |> put_flash(:error, "You don't have permission to access this page.")
        |> redirect(to: redirect_to)
        |> halt()
      end
    end
  end
  @doc """
  Returns the redirect URL for an unauthorized user (for LiveView push_redirect).
  """
  def redirect_target_for_user(nil), do: "/sign-in"
  def redirect_target_for_user(user) when is_map(user) or is_struct(user) do
    id = Map.get(user, :id) || Map.get(user, "id")
    if id, do: "/users/#{to_string(id)}", else: "/sign-in"
  end
  def redirect_target_for_user(_), do: "/sign-in"
  defp redirect_target(user), do: redirect_target_for_user(user)
  @doc """
  Returns true if the path is public (no auth/permission check).
  Used by LiveView hook to skip redirect on sign-in etc.
  """
  def public_path?(path) when is_binary(path) do
    path in ["/register", "/reset", "/set_locale", "/sign-in", "/sign-out"] or
      String.starts_with?(path, "/auth") or
      String.starts_with?(path, "/confirm") or
      String.starts_with?(path, "/password-reset")
  end
  defp get_page_path(conn) do
    router = conn.private[:phoenix_router]
    get_page_path_from_router(router, conn.method, conn.request_path, conn.host)
  end
  @doc """
  Returns whether the user is allowed to access the given request path.
  Used by the plug and by LiveView on_mount/handle_params for client-side navigation.
  Options: `:router` (default MvWeb.Router), `:host` (default "localhost").
  """
  def user_can_access_page?(user, request_path, opts \\ []) do
    router = Keyword.get(opts, :router, MvWeb.Router)
    host = Keyword.get(opts, :host, "localhost")
    page_path = get_page_path_from_router(router, "GET", request_path, host)
    has_page_permission?(user, page_path, request_path)
  end
  defp get_page_path_from_router(router, method, request_path, host) do
    case Phoenix.Router.route_info(router, method, request_path, host) do
      %{route: route} -> route
      _ -> request_path
    end
  end
  defp has_page_permission?(nil, _page_path, _request_path), do: false
  defp has_page_permission?(user, page_path, request_path) do
    with ps_name when is_binary(ps_name) <- permission_set_name_from_user(user),
         {:ok, ps_atom} <- PermissionSets.permission_set_name_to_atom(ps_name),
         permissions <- PermissionSets.get_permissions(ps_atom) do
      page_matches?(permissions.pages, page_path, request_path, user)
    else
      _ -> false
    end
  end
  defp permission_set_name_from_user(user) when is_map(user) or is_struct(user) do
    get_in(user, [Access.key(:role), Access.key(:permission_set_name)]) ||
      get_in(user, [Access.key("role"), Access.key("permission_set_name")])
  end
  defp permission_set_name_from_user(_), do: nil
  defp user_id_from_user(user) when is_map(user) or is_struct(user) do
    id = Map.get(user, :id) || Map.get(user, "id")
    if id, do: to_string(id), else: nil
  end
  defp user_id_from_user(_), do: nil
  # Reserved path segments that must not match a single :id param (e.g. /members/new, /users/new).
  @reserved_id_segments ["new"]
  # For "/users/:id" with own_data we only allow when the id in the path equals the current user's id.
  # For "/members/:id" we reject when the segment is reserved (e.g. "new") so /members/new is not allowed.
  defp page_matches?(allowed_pages, requested_path, request_path, user) do
    Enum.any?(allowed_pages, fn pattern ->
      pattern_match?(pattern, requested_path, request_path, user)
    end)
  end
  defp pattern_match?("*", _requested_path, _request_path, _user), do: true
  defp pattern_match?(pattern, _requested_path, request_path, user)
       when pattern == "/users/:id" do
    match_dynamic_route?(pattern, request_path) and
      path_param_equals(pattern, request_path, "id", user_id_from_user(user))
  end
  defp pattern_match?(pattern, _requested_path, request_path, user)
       when pattern in ["/users/:id/edit", "/users/:id/show/edit"] do
    match_dynamic_route?(pattern, request_path) and
      path_param_equals(pattern, request_path, "id", user_id_from_user(user))
  end
  defp pattern_match?(pattern, _requested_path, request_path, user)
       when pattern == "/members/:id" do
    match_dynamic_route?(pattern, request_path) and
      path_param_not_reserved(pattern, request_path, "id", @reserved_id_segments) and
      members_show_allowed?(pattern, request_path, user)
  end
  defp pattern_match?(pattern, _requested_path, request_path, user)
       when pattern in ["/members/:id/edit", "/members/:id/show/edit"] do
    match_dynamic_route?(pattern, request_path) and
      members_edit_allowed?(pattern, request_path, user)
  end
  defp pattern_match?(pattern, _requested_path, request_path, _user)
       when pattern == "/groups/:slug" do
    match_dynamic_route?(pattern, request_path) and
      path_param_not_reserved(pattern, request_path, "slug", @reserved_id_segments)
  end
  defp pattern_match?(pattern, requested_path, _request_path, _user)
       when pattern == requested_path do
    true
  end
  defp pattern_match?(pattern, _requested_path, request_path, _user) do
    if String.contains?(pattern, ":") do
      match_dynamic_route?(pattern, request_path)
    else
      false
    end
  end
  defp path_param_not_reserved(pattern, request_path, param_name, reserved)
       when is_list(reserved) do
    segments = String.split(request_path, "/", trim: true)
    idx = param_index(pattern, param_name)
    if idx < 0 do
      false
    else
      value = Enum.at(segments, idx)
      value not in reserved
    end
  end
  defp path_param_equals(pattern, request_path, param_name, expected_value)
       when is_binary(expected_value) do
    segments = String.split(request_path, "/", trim: true)
    idx = param_index(pattern, param_name)
    if idx < 0 do
      false
    else
      value = Enum.at(segments, idx)
      value == expected_value
    end
  end
  defp path_param_equals(_, _, _, _), do: false
  # For own_data: only allow show/edit when :id is the user's linked member. For other permission sets: allow when not reserved.
  defp members_show_allowed?(pattern, request_path, user) do
    if permission_set_name_from_user(user) == "own_data" do
      path_param_equals(pattern, request_path, "id", user_member_id(user))
    else
      true
    end
  end
  defp members_edit_allowed?(pattern, request_path, user) do
    if permission_set_name_from_user(user) == "own_data" do
      path_param_equals(pattern, request_path, "id", user_member_id(user))
    else
      path_param_not_reserved(pattern, request_path, "id", @reserved_id_segments)
    end
  end
  defp user_member_id(user) when is_map(user) or is_struct(user) do
    member_id = Map.get(user, :member_id) || Map.get(user, "member_id")
    if is_nil(member_id) do
      load_member_id_for_user(user)
    else
      to_string(member_id)
    end
  end
  defp user_member_id(_), do: nil
  defp load_member_id_for_user(user) do
    id = user_id_from_user(user)
    if id do
      case Ash.get(Mv.Accounts.User, id, load: [:member], domain: Mv.Accounts, authorize?: false) do
        {:ok, loaded} when not is_nil(loaded.member_id) -> to_string(loaded.member_id)
        _ -> nil
      end
    else
      nil
    end
  end
  defp param_index(pattern, param_name) do
    pattern
    |> String.split("/", trim: true)
    |> Enum.find_index(fn seg ->
      String.starts_with?(seg, ":") and String.trim_leading(seg, ":") == param_name
    end)
    |> case do
      nil -> -1
      i -> i
    end
  end
  defp match_dynamic_route?(pattern, path) do
    pattern_segments = String.split(pattern, "/", trim: true)
    path_segments = String.split(path, "/", trim: true)
    if length(pattern_segments) == length(path_segments) do
      Enum.zip(pattern_segments, path_segments)
      |> Enum.all?(fn {pattern_seg, path_seg} ->
        String.starts_with?(pattern_seg, ":") or pattern_seg == path_seg
      end)
    else
      false
    end
  end
  defp log_page_access_denied(user, page_path) do
    user_id =
      if user do
        Map.get(user, :id) || Map.get(user, "id") || "nil"
      else
        "nil"
      end
    role_name =
      if user do
        get_in(user, [Access.key(:role), Access.key(:name)]) ||
          get_in(user, [Access.key("role"), Access.key("name")]) || "nil"
      else
        "nil"
      end
    Logger.info("""
    Page access denied:
      User: #{user_id}
      Role: #{role_name}
      Page: #{page_path}
    """)
  end
 end
--- a/lib/mv_web/router.ex
+++ b/lib/mv_web/router.ex
@ -14,6 +14,7 @@ defmodule MvWeb.Router do
    plug :put_secure_browser_headers
    plug :load_from_session
    plug :set_locale
    plug MvWeb.Plugs.CheckPagePermission
  end
  pipeline :api do
@ -48,7 +49,8 @@ defmodule MvWeb.Router do
    ash_authentication_live_session :authentication_required,
      on_mount: [
        {MvWeb.LiveUserAuth, :live_user_required},
-        {MvWeb.LiveHelpers, :ensure_user_role_loaded}
+        {MvWeb.LiveHelpers, :ensure_user_role_loaded},
        {MvWeb.LiveHelpers, :check_page_permission_on_params}
      ] do
      live "/", MemberLive.Index, :index