diff --git a/Guide/recipes.markdown b/Guide/recipes.markdown index 21b4e2b92..ce66b54ab 100644 --- a/Guide/recipes.markdown +++ b/Guide/recipes.markdown @@ -66,7 +66,7 @@ You can easily upload a user profile picture using [`uploadImageWithOptions`](ht ```haskell action UpdateUserAction { userId } = do user <- fetch userId - accessDeniedUnless (userId == currentUserId) + accessDeniedWhen (userId /= currentUserId) let profilePictureOptions = ImageUploadOptions { convertTo = "jpg" @@ -133,11 +133,23 @@ instance View EditView where ## Checking that the current user has permission to access the action -Use [accessDeniedUnless](https://ihp.digitallyinduced.com/api-docs/IHP-LoginSupport-Helper-Controller.html#v:accessDeniedUnless) like this: +Use [accessDeniedWhen](https://ihp.digitallyinduced.com/api-docs/IHP-LoginSupport-Helper-Controller.html#v:accessDeniedWhen) like this: ```haskell action EditPostAction { postId } = do post <- fetch postId + -- Access denied if the current user is not the author of the post. + accessDeniedWhen (post.authorId /= currentUserId) + + renderHtml EditView { .. } +``` + +Or the opposite command [accessDeniedUnless](https://ihp.digitallyinduced.com/api-docs/IHP-LoginSupport-Helper-Controller.html#v:accessDeniedUnless) like this: + +```haskell +action EditPostAction { postId } = do + post <- fetch postId + -- Access denied if the current user is not the author of the post. accessDeniedUnless (post.authorId == currentUserId) renderHtml EditView { .. } diff --git a/IHP/AuthSupport/Authorization.hs b/IHP/AuthSupport/Authorization.hs index 5a56b6051..2baa5fb91 100644 --- a/IHP/AuthSupport/Authorization.hs +++ b/IHP/AuthSupport/Authorization.hs @@ -10,9 +10,23 @@ import IHP.Prelude class CanView user model where canView :: (?modelContext :: ModelContext) => model -> user -> IO Bool --- | Stops the action execution with an error message when the access condition is false. +-- | Stops the action execution with an error message when the access condition is True. -- --- __Example:__ Checking a user is author of a blog post. +-- __Example:__ Checking a user is the author of a blog post. +-- +-- > action EditPostAction { postId } = do +-- > post <- fetch postId +-- > accessDeniedWhen (post.authorId /= currentUserId) +-- > +-- > renderHtml EditView { .. } +-- +-- This will throw an error and prevent the view from being rendered when the current user is not the author of the post. +accessDeniedWhen :: Bool -> IO () +accessDeniedWhen condition = when condition (fail "Access denied") + +-- | Stops the action execution with an error message when the access condition is False. +-- +-- __Example:__ Checking a user is the author of a blog post. -- -- > action EditPostAction { postId } = do -- > post <- fetch postId @@ -20,6 +34,7 @@ class CanView user model where -- > -- > renderHtml EditView { .. } -- --- This will throw an error and prevent the view from being rendered when the current user is not author of the post. +-- This will throw an error and prevent the view from being rendered when the current user is not the author of the post. accessDeniedUnless :: Bool -> IO () -accessDeniedUnless condition = if condition then pure () else fail "Access denied" \ No newline at end of file +accessDeniedUnless condition = unless condition (fail "Access denied") +