Apply UI authorization to User LiveViews (Index and Show)

Gate New User button, Edit and Delete links with can?/3. Edit button on User Show visible only when user can update the user.
2026-02-03 16:35:32 +01:00 · 2026-02-03 16:35:32 +01:00 · f85d61d20c
commit f85d61d20c
parent d41252ce56
2 changed files with 21 additions and 13 deletions
--- a/lib/mv_web/live/user_live/index.html.heex
+++ b/lib/mv_web/live/user_live/index.html.heex
@ -2,9 +2,11 @@
  <.header>
    {gettext("Listing Users")}
    <:actions>
+      <%= if can?(@current_user, :create, Mv.Accounts.User) do %>
        <.button variant="primary" navigate={~p"/users/new"}>
          <.icon name="hero-plus" /> {gettext("New User")}
        </.button>
+      <% end %>
    </:actions>
  </.header>

@ -62,16 +64,20 @@
        <.link navigate={~p"/users/#{user}"}>{gettext("Show")}</.link>
      </div>

+      <%= if can?(@current_user, :update, user) do %>
        <.link navigate={~p"/users/#{user}/edit"}>{gettext("Edit")}</.link>
+      <% end %>
    </:action>

    <:action :let={user}>
+      <%= if can?(@current_user, :destroy, user) do %>
        <.link
          phx-click={JS.push("delete", value: %{id: user.id}) |> hide("#row-#{user.id}")}
          data-confirm={gettext("Are you sure?")}
        >
          {gettext("Delete")}
        </.link>
+      <% end %>
    </:action>
  </.table>
 </Layouts.app>
--- a/lib/mv_web/live/user_live/show.ex
+++ b/lib/mv_web/live/user_live/show.ex
@ -41,9 +41,11 @@ defmodule MvWeb.UserLive.Show do
            <.icon name="hero-arrow-left" />
            <span class="sr-only">{gettext("Back to users list")}</span>
          </.button>
+          <%= if can?(@current_user, :update, @user) do %>
            <.button variant="primary" navigate={~p"/users/#{@user}/edit?return_to=show"}>
              <.icon name="hero-pencil-square" /> {gettext("Edit User")}
            </.button>
+          <% end %>
        </:actions>
      </.header>