Building a Blog in Haskell with Yesod–Authorization

riccardoodone

Riccardo Odone

Posted on August 5, 2019

Building a Blog in Haskell with Yesod–Authorization

You can keep reading here or jump to my blog to get the full experience, including the wonderful pink, blue and white palette.


This is a series about Yesod: a Haskell web framework that follows a similar philosophy to Rails. In fact, it is strongly opinionated and provides a lot of functionality out of the box.

A good read about Yesod is available online for free: Developing web applications with Haskell and Yesod. That's why this series will be a commentary of the commits from a repo we will use to develop a super simple blog.

In other words, this won't be good material to learn how to use Yesod. However, it will hopefully give an overview of how the framework works.

Who's the Author?

Up until now, the logged-in user didn't have any relationships with the posts. Commit b9ed6789ed578e4349f9fc0eee670e2df87434be adds a userId to Post and makes sure it gets filled with the id of the authenticated user.

Authorize Deletions

In a multi-author blog, only the owner should be allowed to delete a post. Commit db722e785cc09ad5642486df17c770e85899648c takes care of that. The important bit is the following

isAuthorized (PostR postId) _ = isOwner postId
Enter fullscreen mode Exit fullscreen mode

Delete Button

Since only the owner can delete a post, it makes sense to reflect that in the UI. Commit 2378194354b6e0e92fb1c83ac5feb97aac8d219b does exactly that:

$if userId == (postUserId $ entityVal post)
  <button>Delete
$else
  <p>
Enter fullscreen mode Exit fullscreen mode

Show me the Author!

The last thing to do is to show the author names alongside their blogposts. Given our database schema (config/models.persistentmodels)

User
    ident Text
    password Text Maybe
Post
    title Text
    text Textarea
    userId UserId
Enter fullscreen mode Exit fullscreen mode

we need to perform a join between user and post.

Unfortunately, the default database library for Yesod, Persistent, doesn't support joins in a type-safe way. In fact, the only way would be to use rawSql.

Luckily, we can easily add Esqueleto which builds on top of Persistent and is capable of performing type-safe joins: 78ef59c6e6718dbce83ea2802cb70335bb4cca33

Screenshot or didn't Happen!

Here we can see that the delete button is shown only to the owner of the post and that the author names is displayed together with title and text:


Get the latest content via email from me personally. Reply with your thoughts. Let's learn from each other. Subscribe to my PinkLetter!

💖 💪 🙅 🚩
riccardoodone
Riccardo Odone

Posted on August 5, 2019

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related