The Scope struct

The Scope struct is the foundation for multi-tenancy. It carries information about the current user and, optionally, the current organization. This allows us to pass context through our application without threading individual parameters everywhere.

The struct has two fields: user and organization . The for_user/1 function creates a scope for a given user, and put_organization/2 adds the active organization to an existing scope.

lib/my_app/accounts/scope.ex Reveal

	`-17,8 +17,9 @@ defmodule MyApp.Accounts.Scope do`
	`"""`

	`alias MyApp.Accounts.User`
+	`alias MyApp.Organizations.Organization`

-	`defstruct user: nil`
+	`defstruct user: nil, organization: nil`

	`@doc """`
	`Creates a scope for the given user.`
	`-30,4 +31,13 @@ defmodule MyApp.Accounts.Scope do`
	`end`

	`def for_user(nil), do: nil`
+
+	`@doc """`
+	`Puts the active organization in a scope.`
+	`"""`
+	`def put_organization(scope, %Organization{} = organization) do`
+	`%{scope \| organization: organization}`
+	`end`
+
+	`def put_organization(scope, nil), do: scope`
	`end`

lib/my_app/accounts/user.ex Reveal

	`-10,6 +10,7 @@ defmodule MyApp.Accounts.User do`
	`field :hashed_password, :string, redact: true`
	`field :confirmed_at, :utc_datetime`
	`field :authenticated_at, :utc_datetime, virtual: true`
+	`field :organization_role, :any, virtual: true`

	`timestamps(type: :utc_datetime)`
	`end`

lib/my_app/accounts/user_notifier.ex Reveal

	`-81,4 +81,24 @@ defmodule MyApp.Accounts.UserNotifier do`
	`==============================`
	`""")`
	`end`
+
+	`@doc """`
+	`Deliver a notification informing a user they have been added to an organization.`
+	`"""`
+	`def deliver_joined_organization_notification(user, organization, url) do`
+	`deliver(user.email, "You are now a member of #{organization.name}", """`
+
+	`==============================`
+
+	`Hi #{user.email},`
+
+	`You have been added to #{organization.name}'s organization.`
+
+	`View the organization home page by visiting the URL below:`
+
+	`#{url}`
+
+	`==============================`
+	`""")`
+	`end`
	`end`

Organizations context

The Organizations context module provides the public API for working with organizations. All functions accept a Scope struct as the first argument, which provides the current user context.

Key functions include:

For member management:

The create_organization/2 function uses Ecto.Multi to atomically create both the organization and the initial membership record for the creator as owner.

lib/my_app/organizations.ex Reveal

	`-0,0 +1,177 @@`
+	`defmodule MyApp.Organizations do`
+	`@moduledoc """`
+	`The Organizations context.`
+	`"""`
+
+	`alias MyApp.Repo`
+	`alias MyApp.Accounts.Scope`
+	`alias MyApp.Accounts.User`
+	`alias MyApp.Accounts.UserNotifier`
+	`alias MyApp.Organizations.Organization`
+	`alias MyApp.Organizations.OrganizationUser`
+
+	`## Organizations`
+
+	`@doc """`
+	`Gets an organization by slug within a scope.`
+	`"""`
+	`def get_organization(%Scope{} = scope, id) do`
+	`Organization`
+	`\|> OrganizationUser.organization_with_user_query(scope.user)`
+	`\|> Repo.get(id)`
+	`end`
+
+	`@doc """`
+	`Gets an organization by slug within a scope, raises otherwise.`
+	`"""`
+	`def get_organization!(%Scope{} = scope, id) do`
+	`Organization`
+	`\|> OrganizationUser.organization_with_user_query(scope.user)`
+	`\|> Repo.get!(id)`
+	`end`
+
+	`@doc """`
+	`Gets an organization by slug within a scope.`
+	`"""`
+	`def get_organization_by_slug(%Scope{} = scope, slug) do`
+	`Organization`
+	`\|> OrganizationUser.organization_with_user_query(scope.user)`
+	`\|> Repo.get_by(slug: slug)`
+	`end`
+
+	`@doc """`
+	`Gets an organization by slug within a scope, raises otherwise.`
+	`"""`
+	`def get_organization_by_slug!(%Scope{} = scope, slug) do`
+	`Organization`
+	`\|> OrganizationUser.organization_with_user_query(scope.user)`
+	`\|> Repo.get_by!(slug: slug)`
+	`end`
+
+	`@doc """`
+	`Lists organizations for a user scope.`
+	`"""`
+	`def list_organizations(%Scope{} = scope) do`
+	`Organization`
+	`\|> OrganizationUser.organization_with_user_query(scope.user)`
+	`\|> Repo.all()`
+	`end`
+
+	`@doc """`
+	`Creates an organization.`
+	`"""`
+	`def create_organization(%Scope{} = scope, attrs) do`
+	`Ecto.Multi.new()`
+	`\|> Organization.create_multi(attrs)`
+	`\|> OrganizationUser.create_multi(scope.user, role: :owner)`
+	`\|> Repo.transaction()`
+	`\|> case do`
+	`{:ok, %{organization: organization}} ->`
+	`{:ok, organization}`
+
+	`{:error, :organization, %Ecto.Changeset{} = changeset, _multi} ->`
+	`{:error, changeset}`
+	`end`
+	`end`
+
+	`@doc """`
+	`Updates an organization.`
+	`"""`
+	`def update_organization(%Scope{} = scope, %Organization{} = organization, attrs) do`
+	`check_permission!(scope, organization, :owner)`
+
+	`organization`
+	`\|> Organization.changeset(attrs)`
+	`\|> Repo.update()`
+	`end`
+
+	`@doc """`
+	`Deletes an organization.`
+	`"""`
+	`def delete_organization(%Scope{} = scope, %Organization{} = organization) do`
+	`check_permission!(scope, organization, :owner)`
+
+	`Repo.delete(organization)`
+	`end`
+
+	`defp check_permission!(scope, organization, roles_opts) do`
+	`has_permission? =`
+	`Organization`
+	`\|> OrganizationUser.organization_with_user_query(scope.user)`
+	`\|> OrganizationUser.role_query(roles_opts)`
+	`\|> Repo.exists?()`
+
+	`if not has_permission? do`
+	`raise "Failed permission check for user #{inspect(scope.user.id)} accessing " <>`
+	`"organization #{inspect(organization.id)} with required roles #{inspect(roles_opts)}"`
+	`end`
+	`end`
+
+	`## Members`
+
+	`def get_organization_user!(%Scope{} = scope, user) do`
+	`OrganizationUser`
+	`\|> OrganizationUser.query(scope.organization, user)`
+	`\|> Repo.one!()`
+	`end`
+
+	`def get_user(%Scope{} = scope, user_id) do`
+	`User`
+	`\|> OrganizationUser.user_with_organization_query(scope.organization)`
+	`\|> Repo.get(user_id)`
+	`end`
+
+	`def get_user!(%Scope{} = scope, user_id) do`
+	`User`
+	`\|> OrganizationUser.user_with_organization_query(scope.organization)`
+	`\|> Repo.get!(user_id)`
+	`end`
+
+	`def list_users(%Scope{} = scope) do`
+	`User`
+	`\|> OrganizationUser.user_with_organization_query(scope.organization)`
+	`\|> Repo.all()`
+	`end`
+
+	`def add_user(%Scope{} = scope, user, attrs, opts \\ []) do`
+	`run_deliver_email = fn _repo, _multi ->`
+	`if url = opts[:organization_url] do`
+	`UserNotifier.deliver_joined_organization_notification(user, scope.organization, url)`
+	`else`
+	`{:ok, nil}`
+	`end`
+	`end`
+
+	`Ecto.Multi.new()`
+	`\|> Ecto.Multi.put(:organization, scope.organization)`
+	`\|> OrganizationUser.create_multi(user, attrs)`
+	`\|> Ecto.Multi.run(:deliver_email, run_deliver_email)`
+	`\|> Repo.transaction()`
+	`end`
+
+	`def update_user_role(%Scope{} = scope, user, attrs) do`
+	`organization_user = get_organization_user!(scope, user)`
+
+	`Ecto.Multi.new()`
+	`\|> Ecto.Multi.put(:organization, scope.organization)`
+	`\|> OrganizationUser.update_multi(organization_user, attrs)`
+	`\|> Repo.transaction()`
+	`\|> case do`
+	`{:ok, %{organization_user: organization_user}} ->`
+	`{:ok, organization_user}`
+
+	`{:error, :organization_user, %Ecto.Changeset{} = changeset, _multi} ->`
+	`{:error, changeset}`
+
+	`{:error, :check_role, reason, _multi} ->`
+	`{:error, reason}`
+	`end`
+	`end`
+
+	`def remove_user(%Scope{} = scope, user) do`
+	`OrganizationUser`
+	`\|> OrganizationUser.query(scope.organization, user)`
+	`\|> OrganizationUser.role_query(not_in: [:owner])`
+	`\|> Repo.delete_all()`
+	`end`
+	`end`

Organization schema

The Organization schema defines the structure for organizations. Each organization has a name and a slug . The slug is used in URLs and must follow a specific format: lowercase letters and numbers separated by dashes (e.g., my-org ).

The schema includes a virtual field user_role which gets populated when querying organizations through the join table. This tells us the current user's role within that organization.

The cast_default_slug/2 function automatically generates a slug from the organization name when creating a new organization, making the UX friendlier.

We also implement Phoenix.Param for the organization, so it can be used directly in URL helpers with its slug.

lib/my_app/organizations/organization.ex Reveal

	`-0,0 +1,57 @@`
+	`defmodule MyApp.Organizations.Organization do`
+	`use Ecto.Schema`
+	`import Ecto.Changeset`
+
+	`# Matches a valid slug, made up of sequences of lowercase letters and`
+	`# numbers separated by dashes.`
+	`@slug_format ~r/^[a-z0-9]+(\-[a-z0-9]+)*$/`
+
+	`@primary_key {:id, :binary_id, autogenerate: true}`
+	`@foreign_key_type :binary_id`
+
+	`schema "organizations" do`
+	`field :name, :string`
+	`field :slug, :string`
+	`field :user_role, :any, virtual: true`
+
+	`timestamps(type: :utc_datetime)`
+	`end`
+
+	`## Changesets`
+
+	`def changeset(organization, attrs, opts \\ []) do`
+	`organization`
+	`\|> cast(attrs, [:name, :slug])`
+	`\|> cast_default_slug(opts)`
+	`\|> validate_required([:name, :slug])`
+	`\|> validate_format(:slug, @slug_format,`
+	`message: ~S(must use lowercase letters and numbers separated by dashes: "my-org")`
+	`)`
+	`\|> unsafe_validate_unique(:slug, MyApp.Repo)`
+	`\|> unique_constraint(:slug)`
+	`end`
+
+	`def cast_default_slug(changeset, opts) do`
+	`case {opts[:cast_default_slug], fetch_field(changeset, :name)} do`
+	`{true, {:changes, name}} -> put_change(changeset, :slug, name_to_slug(name))`
+	`_otherwise -> changeset`
+	`end`
+	`end`
+
+	`def name_to_slug(name) do`
+	`name`
+	`\|> String.downcase()`
+	`\|> String.replace(~r/[^a-z0-9]/, "-")`
+	`\|> String.trim("-")`
+	`end`
+
+	`## Multis`
+
+	`def create_multi(multi, attrs) do`
+	`Ecto.Multi.insert(multi, :organization, changeset(%__MODULE__{}, attrs))`
+	`end`
+
+	`defimpl Phoenix.Param do`
+	`def to_param(organization), do: organization.slug`
+	`end`
+	`end`

OrganizationUser join schema

The OrganizationUser schema represents the many-to-many relationship between users and organizations. It uses a composite primary key consisting of organization_id and user_id , which prevents duplicate memberships.

Each membership has a role field that can be either :owner or :member . Owners have full control over the organization, while members have limited access.

The module provides several query helpers for joining users with organizations. organization_with_user_query/2 retrieves organizations for a user and populates the user_role virtual field. user_with_organization_query/2 does the inverse, retrieving users for an organization and populating organization_role .

The update_multi/3 function includes a safety check to ensure an organization always has at least one owner.

lib/my_app/organizations/organization_user.ex Reveal

	`-0,0 +1,109 @@`
+	`defmodule MyApp.Organizations.OrganizationUser do`
+	`use Ecto.Schema`
+
+	`import Ecto.Changeset`
+	`import Ecto.Query`
+
+	`@role_values [:owner, :member]`
+
+	`@primary_key false`
+	`@foreign_key_type :binary_id`
+
+	`schema "organizations_users" do`
+	`field :role, Ecto.Enum, values: @role_values`
+
+	`belongs_to :organization, MyApp.Organizations.Organization, primary_key: true`
+	`belongs_to :user, MyApp.Accounts.User, primary_key: true`
+
+	`timestamps()`
+	`end`
+
+	`## Changesets`
+
+	`def role_changeset(organization_user, attrs) do`
+	`organization_user`
+	`\|> cast(attrs, [:role])`
+	`\|> validate_required([:role])`
+	`end`
+
+	`## Queries`
+
+	`def query(query, organization, user) do`
+	`from org_user in query,`
+	`as: :organization_user,`
+	`where: [organization_id: ^organization.id, user_id: ^user.id]`
+	`end`
+
+	`def organization_query(query, organization) do`
+	`from org_user in query,`
+	`as: :organization_user,`
+	`where: [organization_id: ^organization.id]`
+	`end`
+
+	`def user_with_organization_query(query, organization) do`
+	`from user in query,`
+	`join: org_user in __MODULE__,`
+	`on: [organization_id: ^organization.id, user_id: user.id],`
+	`as: :organization_user,`
+	`select_merge: %{organization_role: org_user.role}`
+	`end`
+
+	`def organization_with_user_query(query, user) do`
+	`from org in query,`
+	`join: org_user in __MODULE__,`
+	`on: [organization_id: org.id, user_id: ^user.id],`
+	`as: :organization_user,`
+	`select_merge: %{user_role: org_user.role}`
+	`end`
+
+	`def role_query(query, opts) do`
+	`case opts do`
+	`role when is_atom(role) ->`
+	`where(query, [organization_user: org_user], org_user.role == ^role)`
+
+	`[{:in, roles}] ->`
+	`where(query, [organization_user: org_user], org_user.role in ^roles)`
+
+	`[{:not_in, roles}] ->`
+	`where(query, [organization_user: org_user], org_user.role not in ^roles)`
+	`end`
+	`end`
+
+	`## Multis`
+
+	`def create_multi(multi, user, attrs) do`
+	`Ecto.Multi.insert(multi, :organization_user, fn %{organization: organization} ->`
+	`%__MODULE__{}`
+	`\|> Map.merge(%{organization: organization, user: user})`
+	`\|> role_changeset(Map.new(attrs))`
+	`\|> unique_constraint(:user_id, name: :organizations_users_pkey)`
+	`\|> unsafe_validate_unique(:user_id, MyApp.Repo, name: :organizations_users_pkey)`
+	`end)`
+	`end`
+
+	`def update_multi(multi, organization_user, attrs) do`
+	`multi`
+	`\|> Ecto.Multi.update(:organization_user, role_changeset(organization_user, attrs))`
+	`\|> Ecto.Multi.run(:check_role, fn repo, %{organization: organization} ->`
+	`query =`
+	`__MODULE__`
+	`\|> organization_query(organization)`
+	`\|> role_query(:owner)`
+
+	`if repo.exists?(query) do`
+	`{:ok, nil}`
+	`else`
+	`{:error, :organization_must_have_owner}`
+	`end`
+	`end)`
+	`end`
+
+	`## View`
+
+	`def role_name(:owner), do: "Owner"`
+	`def role_name(:member), do: "Member"`
+
+	`def role_options() do`
+	`Enum.map(@role_values, &{role_name(&1), &1})`
+	`end`
+	`end`

lib/my_app_web/components/layouts/root.html.heex Reveal

	`-25,7 +25,7 @@`
	`setTheme(localStorage.getItem("phx:theme") \|\| "system");`
	`}`
	`window.addEventListener("storage", (e) => e.key === "phx:theme" && setTheme(e.newValue \|\| "system"));`
-
+
	`window.addEventListener("phx:set-theme", (e) => setTheme(e.target.dataset.phxTheme));`
	`})();`
	`</script>`
	`-39,6 +39,9 @@`
	`<li>`
	`<.link href={~p"/users/settings"}>Settings</.link>`
	`</li>`
+	`<li>`
+	`<.link href={~p"/organizations"}>Organizations</.link>`
+	`</li>`
	`<li>`
	`<.link href={~p"/users/log-out"} method="delete">Log out</.link>`
	`</li>`

lib/my_app_web/live/member_live/add.ex Reveal

	`-0,0 +1,92 @@`
+	`defmodule MyAppWeb.MemberLive.Add do`
+	`use MyAppWeb, :live_view`
+
+	`alias MyApp.Accounts`
+	`alias MyApp.Organizations`
+
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<.header>`
+	`Add member`
+	`</.header>`
+
+	`<.form class="mt-6" for={@form} phx-change="validate" phx-submit="save">`
+	`<.input`
+	`field={@form[:email]}`
+	`type="email"`
+	`label="Email"`
+	`autocomplete="off"`
+	`placeholder="Enter an email..."`
+	`/>`
+	`<.input`
+	`field={@form[:role]}`
+	`type="select"`
+	`label="Role"`
+	`options={Organizations.OrganizationUser.role_options()}`
+	`/>`
+	`<.button type="submit">`
+	`Invite`
+	`</.button>`
+	`</.form>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`def mount(_params, _session, socket) do`
+	`changeset = changeset(%{})`
+	`{:ok, assign(socket, :form, to_form(changeset, as: :form))}`
+	`end`
+
+	`def handle_event("validate", %{"form" => params}, socket) do`
+	`changeset = Map.put(changeset(params), :action, :validate)`
+	`{:noreply, assign(socket, :form, to_form(changeset, as: :form))}`
+	`end`
+
+	`def handle_event("save", %{"form" => params}, socket) do`
+	`current_scope = socket.assigns.current_scope`
+
+	`:owner = current_scope.organization.user_role`
+
+	`opts = [organization_url: url(~p"/~/#{current_scope.organization}")]`
+
+	`with {:ok, data} <- Ecto.Changeset.apply_action(changeset(params), :validate),`
+	`%Accounts.User{} = user <- Accounts.get_user_by_email(data.email),`
+	`{:ok, _org_user} <- Organizations.add_user(current_scope, user, params, opts) do`
+	`{:noreply,`
+	`socket`
+	`\|> put_flash(:info, "User #{user.email} added to organization.")`
+	`\|> push_navigate(to: ~p"/~/#{current_scope.organization}/settings/members")}`
+	`else`
+	`{:error, %Ecto.Changeset{} = changeset} ->`
+	`{:noreply, assign(socket, :form, to_form(changeset, as: :form))}`
+
+	`nil ->`
+	`changeset = changeset_with_error(params, "no user with this email was found")`
+	`{:noreply, assign(socket, :form, to_form(changeset, as: :form))}`
+
+	`{:error, :organization_user, %Ecto.Changeset{errors: [user_id: _details]}, _multi} ->`
+	`changeset = changeset_with_error(params, "already a member of this organization")`
+	`{:noreply, assign(socket, :form, to_form(changeset, as: :form))}`
+
+	`{:error, _reason} ->`
+	`{:noreply,`
+	`socket`
+	`\|> put_flash(:error, "Failed to add user to organization.")`
+	`\|> push_patch(to: ~p"/~/#{current_scope.organization}/settings/members")}`
+	`end`
+	`end`
+
+	`def changeset(params) do`
+	`{%{}, %{email: :string}}`
+	`\|> Ecto.Changeset.cast(params, [:email])`
+	`\|> Ecto.Changeset.validate_required([:email])`
+	`end`
+
+	`def changeset_with_error(params, message) do`
+	`params`
+	`\|> changeset()`
+	`\|> Ecto.Changeset.add_error(:email, message)`
+	`\|> Map.put(:action, :validate)`
+	`end`
+	`end`

lib/my_app_web/live/member_live/edit.ex Reveal

	`-0,0 +1,72 @@`
+	`defmodule MyAppWeb.MemberLive.Edit do`
+	`use MyAppWeb, :live_view`
+
+	`alias MyApp.Organizations`
+
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<.header>`
+	`Edit member`
+	`</.header>`
+
+	`<.form for={@form} phx-change="validate" phx-submit="save">`
+	`<.input`
+	`field={@form[:role]}`
+	`type="select"`
+	`label="Role"`
+	`options={Organizations.OrganizationUser.role_options()}`
+	`/>`
+	`<.button type="submit">`
+	`Save`
+	`</.button>`
+	`</.form>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`def handle_params(%{"id" => user_id}, _uri, socket) do`
+	`user = Organizations.get_user!(socket.assigns.current_scope, user_id)`
+	`organization_user = Organizations.get_organization_user!(socket.assigns.current_scope, user)`
+
+	`changeset = Organizations.OrganizationUser.role_changeset(organization_user, %{})`
+
+	`{:noreply,`
+	`socket`
+	`\|> assign(:user, user)`
+	`\|> assign(:organization_user, organization_user)`
+	`\|> assign(:form, to_form(changeset))}`
+	`end`
+
+	`def handle_event("validate", %{"organization_user" => params}, socket) do`
+	`changeset =`
+	`socket.assigns.organization_user`
+	`\|> Organizations.OrganizationUser.role_changeset(params)`
+	`\|> Map.put(:action, :validate)`
+
+	`{:noreply, assign(socket, :form, to_form(changeset))}`
+	`end`
+
+	`def handle_event("save", %{"organization_user" => params}, socket) do`
+	`case Organizations.update_user_role(socket.assigns.current_scope, socket.assigns.user, params) do`
+	`{:ok, _organization_user} ->`
+	`{:noreply,`
+	`socket`
+	`\|> put_flash(:info, "Updated member role.")`
+	`\|> push_navigate(`
+	`to: ~p"/~/#{socket.assigns.current_scope.organization}/settings/members"`
+	`)}`
+
+	`{:error, %Ecto.Changeset{} = changeset} ->`
+	`{:noreply, assign(socket, :form, to_form(changeset))}`
+
+	`{:error, :organization_must_have_owner} ->`
+	`{:noreply,`
+	`socket`
+	`\|> put_flash(:error, "Organization must have an owner at all times.")`
+	`\|> push_navigate(`
+	`to: ~p"/~/#{socket.assigns.current_scope.organization}/settings/members"`
+	`)}`
+	`end`
+	`end`
+	`end`

lib/my_app_web/live/member_live/index.ex Reveal

	`-0,0 +1,109 @@`
+	`defmodule MyAppWeb.MemberLive.Index do`
+	`use MyAppWeb, :live_view`
+
+	`alias MyApp.Repo`
+	`alias MyApp.Organizations`
+
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<.header>`
+	`Organization Members`
+	`<:actions>`
+	`<.button`
+	`:if={@current_scope.organization.user_role == :owner}`
+	`phx-click={JS.patch(~p"/~/#{@current_scope.organization}/settings/members/add")}`
+	`>`
+	`Add Member`
+	`</.button>`
+	`</:actions>`
+	`</.header>`
+
+	`<.table`
+	`id="organization_users_table"`
+	`rows={@streams.users}`
+	`row_click={`
+	`if @current_scope.organization.user_role == :owner do`
+	`fn {_id, user} ->`
+	`JS.patch(~p"/~/#{@current_scope.organization}/settings/members/#{user}/edit")`
+	`end`
+	`end`
+	`}`
+	`>`
+	`<:col :let={{_id, user}} label="Email">{user.email}</:col>`
+	`<:col :let={{_id, user}} label="Role">`
+	`{Organizations.OrganizationUser.role_name(user.organization_role)}`
+	`</:col>`
+	`<:action :let={{_id, user}} :if={@current_scope.organization.user_role == :owner}>`
+	`<.link patch={~p"/~/#{@current_scope.organization}/settings/members/#{user}/edit"}>`
+	`Edit`
+	`</.link>`
+	`</:action>`
+	`<:action :let={{id, user}} :if={@current_scope.organization.user_role == :owner}>`
+	`<.link`
+	`phx-click={JS.push("remove", value: %{id: user.id}) \|> hide("##{id}")}`
+	`data-confirm={"Are you sure you want to remove #{user.email} from your organization?"}`
+	`>`
+	`Remove`
+	`</.link>`
+	`</:action>`
+	`</.table>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`def mount(_params, _session, socket) do`
+	`{:ok, stream_configure(socket, :users, [])}`
+	`end`
+
+	`def handle_params(params, _uri, socket) do`
+	`users = Organizations.list_users(socket.assigns.current_scope)`
+
+	`{:noreply,`
+	`socket`
+	`\|> stream(:users, users, reset: true)`
+	`\|> apply_action(params, socket.assigns.live_action)}`
+	`end`
+
+	`def apply_action(socket, _params, :index) do`
+	`assign(socket, :page_title, "Members")`
+	`end`
+
+	`def apply_action(socket, _params, :add) do`
+	`assign(socket, :page_title, "Add member")`
+	`end`
+
+	`def apply_action(socket, %{"id" => user_id}, :edit) do`
+	`organization = socket.assigns.organization`
+
+	`if organization.user_role == :owner do`
+	`organization_user =`
+	`Repo.get_by!(Organizations.OrganizationUser,`
+	`organization_id: organization.id,`
+	`user_id: user_id`
+	`)`
+
+	`socket`
+	`\|> assign(:page_title, "Edit member")`
+	`\|> assign(:organization_user, organization_user)`
+	`else`
+	`socket`
+	`\|> put_flash(:error, "You must be an organization owner to edit this member.")`
+	`\|> push_patch(to: ~p"/~/#{organization}/settings/members")`
+	`end`
+	`end`
+
+	`def handle_event("remove", %{"id" => user_id}, socket) do`
+	`:owner = socket.assigns.current_scope.organization.user_role`
+
+	`user = Organizations.get_user!(socket.assigns.current_scope, user_id)`
+
+	`case Organizations.remove_user(socket.assigns.current_scope, user) do`
+	`{0, _} ->`
+	`{:noreply, put_flash(socket, :error, "Organization owners may not be removed.")}`
+
+	`{1, _} ->`
+	`{:noreply, stream_delete(socket, :users, user)}`
+	`end`
+	`end`
+	`end`

Creating and editing organizations

The organization form LiveView handles both creating new organizations and editing existing ones. It uses the live_action assign to differentiate between :new and :edit modes.

When creating a new organization, the slug is automatically generated from the name as the user types, thanks to the cast_default_slug: true option passed to the changeset.

lib/my_app_web/live/organization_live/form.ex Reveal

	`-0,0 +1,109 @@`
+	`defmodule MyAppWeb.OrganizationLive.Form do`
+	`use MyAppWeb, :live_view`
+
+	`alias MyApp.Organizations`
+	`alias MyApp.Organizations.Organization`
+
+	`@impl true`
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<.header>`
+	`{@page_title}`
+	`<:subtitle>Use this form to manage organization records in your database.</:subtitle>`
+	`</.header>`
+
+	`<.form for={@form} id="organization-form" phx-change="validate" phx-submit="save">`
+	`<.input field={@form[:name]} type="text" label="Name" autocomplete="off" />`
+	`<.input field={@form[:slug]} type="text" label="Slug" autocomplete="off" />`
+	`<footer>`
+	`<.button phx-disable-with="Saving..." variant="primary">Save Organization</.button>`
+	`<.button navigate={return_path(@current_scope, @return_to, @organization)}>Cancel</.button>`
+	`</footer>`
+	`</.form>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`@impl true`
+	`def mount(params, _session, socket) do`
+	`{:ok,`
+	`socket`
+	`\|> assign(:return_to, return_to(params["return_to"]))`
+	`\|> apply_action(socket.assigns.live_action, params)}`
+	`end`
+
+	`defp return_to("show"), do: "show"`
+	`defp return_to(_), do: "index"`
+
+	`defp apply_action(socket, :edit, %{"slug" => slug}) do`
+	`organization = Organizations.get_organization_by_slug!(socket.assigns.current_scope, slug)`
+
+	`socket`
+	`\|> assign(:page_title, "Edit Organization")`
+	`\|> assign(:organization, organization)`
+	`\|> assign(:form, to_form(Organization.changeset(organization, %{})))`
+	`end`
+
+	`defp apply_action(socket, :new, _params) do`
+	`organization = %Organization{}`
+
+	`socket`
+	`\|> assign(:page_title, "New Organization")`
+	`\|> assign(:organization, organization)`
+	`\|> assign(:form, to_form(Organization.changeset(organization, %{})))`
+	`end`
+
+	`@impl true`
+	`def handle_event("validate", %{"organization" => organization_params}, socket) do`
+	`changeset =`
+	`Organization.changeset(`
+	`socket.assigns.organization,`
+	`organization_params,`
+	`cast_default_slug: true`
+	`)`
+
+	`{:noreply, assign(socket, form: to_form(changeset, action: :validate))}`
+	`end`
+
+	`def handle_event("save", %{"organization" => organization_params}, socket) do`
+	`save_organization(socket, socket.assigns.live_action, organization_params)`
+	`end`
+
+	`defp save_organization(socket, :edit, organization_params) do`
+	`case Organizations.update_organization(`
+	`socket.assigns.current_scope,`
+	`socket.assigns.organization,`
+	`organization_params`
+	`) do`
+	`{:ok, organization} ->`
+	`{:noreply,`
+	`socket`
+	`\|> put_flash(:info, "Organization updated successfully")`
+	`\|> push_navigate(`
+	`to: return_path(socket.assigns.current_scope, socket.assigns.return_to, organization)`
+	`)}`
+
+	`{:error, %Ecto.Changeset{} = changeset} ->`
+	`{:noreply, assign(socket, form: to_form(changeset))}`
+	`end`
+	`end`
+
+	`defp save_organization(socket, :new, organization_params) do`
+	`case Organizations.create_organization(socket.assigns.current_scope, organization_params) do`
+	`{:ok, organization} ->`
+	`{:noreply,`
+	`socket`
+	`\|> put_flash(:info, "Organization created successfully")`
+	`\|> push_navigate(`
+	`to: return_path(socket.assigns.current_scope, socket.assigns.return_to, organization)`
+	`)}`
+
+	`{:error, %Ecto.Changeset{} = changeset} ->`
+	`{:noreply, assign(socket, form: to_form(changeset))}`
+	`end`
+	`end`
+
+	`defp return_path(_scope, "index", _organization), do: ~p"/organizations"`
+	`defp return_path(_scope, "show", organization), do: ~p"/~/#{organization}"`
+	`end`

lib/my_app_web/live/organization_live/home.ex Reveal

	`-0,0 +1,35 @@`
+	`defmodule MyAppWeb.OrganizationLive.Home do`
+	`use MyAppWeb, :live_view`
+
+	`@impl true`
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<.header>`
+	`Welcome!`
+	`<:subtitle>This is the homepage for {@current_scope.organization.name}.</:subtitle>`
+	`<:actions>`
+	`<.button navigate={~p"/organizations"}>`
+	`<.icon name="hero-arrow-left" />`
+	`</.button>`
+	`<.button`
+	`variant="primary"`
+	`navigate={~p"/~/#{@current_scope.organization}/edit?return_to=show"}`
+	`>`
+	`<.icon name="hero-pencil-square" /> Edit organization`
+	`</.button>`
+	`</:actions>`
+	`</.header>`
+
+	`<.button phx-click={JS.navigate(~p"/~/#{@current_scope.organization}/settings/members")}>`
+	`Members`
+	`</.button>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`@impl true`
+	`def mount(_params, _session, socket) do`
+	`{:ok, assign(socket, :page_title, socket.assigns.current_scope.organization.name)}`
+	`end`
+	`end`

Listing organizations

The organizations listing LiveView shows all organizations the current user belongs to. It uses LiveView streams for efficient rendering of the table.

The table displays the organization name and slug, with conditional edit and delete actions that only appear for owners. Clicking a row navigates to that organization's home page.

lib/my_app_web/live/user_live/organizations.ex Reveal

	`-0,0 +1,67 @@`
+	`defmodule MyAppWeb.UserLive.Organizations do`
+	`use MyAppWeb, :live_view`
+
+	`alias MyApp.Organizations`
+
+	`@impl true`
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<.header>`
+	`Listing Organizations`
+	`<:actions>`
+	`<.button variant="primary" navigate={~p"/organizations/new"}>`
+	`<.icon name="hero-plus" /> New Organization`
+	`</.button>`
+	`</:actions>`
+	`</.header>`
+
+	`<.table`
+	`id="organizations"`
+	`rows={@streams.organizations}`
+	`row_click={fn {_id, organization} -> JS.navigate(~p"/~/#{organization}") end}`
+	`>`
+	`<:col :let={{_id, organization}} label="Name">{organization.name}</:col>`
+	`<:col :let={{_id, organization}} label="Slug">{organization.slug}</:col>`
+	`<:action :let={{_id, organization}}>`
+	`<div class="sr-only">`
+	`<.link navigate={~p"/~/#{organization}"}>Show</.link>`
+	`</div>`
+	`<.link :if={organization.user_role == :owner} navigate={~p"/~/#{organization}/edit"}>`
+	`Edit`
+	`</.link>`
+	`</:action>`
+	`<:action :let={{id, organization}}>`
+	`<.link`
+	`:if={organization.user_role == :owner}`
+	`phx-click={JS.push("delete", value: %{id: organization.id}) \|> hide("##{id}")}`
+	`data-confirm="Are you sure?"`
+	`>`
+	`Delete`
+	`</.link>`
+	`</:action>`
+	`</.table>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`@impl true`
+	`def mount(_params, _session, socket) do`
+	`{:ok,`
+	`socket`
+	`\|> assign(:page_title, "Listing Organizations")`
+	`\|> stream(:organizations, list_organizations(socket.assigns.current_scope))}`
+	`end`
+
+	`@impl true`
+	`def handle_event("delete", %{"id" => id}, socket) do`
+	`organization = Organizations.get_organization!(socket.assigns.current_scope, id)`
+	`{:ok, _} = Organizations.delete_organization(socket.assigns.current_scope, organization)`
+
+	`{:noreply, stream_delete(socket, :organizations, organization)}`
+	`end`
+
+	`defp list_organizations(current_scope) do`
+	`Organizations.list_organizations(current_scope)`
+	`end`
+	`end`

Router configuration

Organization routes are configured in two scopes. First, the organization listing and creation routes live under the :require_authenticated_user live_session, as they only require a logged-in user.

Organization-specific routes use a URL pattern of /~/slug , where slug is the organization's slug. These routes are placed in separate live_sessions that include the :require_organization_access on_mount hook.

Owner-only routes (like editing the organization or managing members) add the :require_organization_owner on_mount hook for additional authorization.

The pipelines include both plug-based and on_mount-based authorization to ensure consistent protection whether routes are accessed via initial page load or LiveView navigation.

lib/my_app_web/router.ex Reveal

	`-54,6 +54,9 @@ defmodule MyAppWeb.Router do`
	`on_mount: [{MyAppWeb.UserAuth, :require_authenticated}] do`
	`live "/users/settings", UserLive.Settings, :edit`
	`live "/users/settings/confirm-email/:token", UserLive.Settings, :confirm_email`
+
+	`live "/organizations", UserLive.Organizations, :index`
+	`live "/organizations/new", OrganizationLive.Form, :new`
	`end`

	`post "/users/update-password", UserSessionController, :update_password`
	`-72,4 +75,41 @@ defmodule MyAppWeb.Router do`
	`post "/users/log-in", UserSessionController, :create`
	`delete "/users/log-out", UserSessionController, :delete`
	`end`
+
+	`## Within Organization`
+
+	`scope "/~/:slug", MyAppWeb do`
+	`pipe_through [:browser, :require_authenticated_user, :require_organization_access]`
+
+	`live_session :require_authenticated_user_in_org,`
+	`on_mount: [`
+	`{MyAppWeb.UserAuth, :require_authenticated},`
+	`{MyAppWeb.UserAuth, :require_organization_access}`
+	`] do`
+	`live "/", OrganizationLive.Home`
+
+	`live "/settings/members", MemberLive.Index, :index`
+	`end`
+	`end`
+
+	`scope "/~/:slug", MyAppWeb do`
+	`pipe_through [`
+	`:browser,`
+	`:require_authenticated_user,`
+	`:require_organization_access,`
+	`:require_organization_owner`
+	`]`
+
+	`live_session :require_authenticated_owner_user_in_org,`
+	`on_mount: [`
+	`{MyAppWeb.UserAuth, :require_authenticated},`
+	`{MyAppWeb.UserAuth, :require_organization_access},`
+	`{MyAppWeb.UserAuth, :require_organization_owner}`
+	`] do`
+	`live "/edit", OrganizationLive.Form, :edit`
+
+	`live "/settings/members/add", MemberLive.Add, :add`
+	`live "/settings/members/:id/edit", MemberLive.Edit, :edit`
+	`end`
+	`end`
	`end`

Authentication helpers

The UserAuth module is extended with organization-related authentication helpers. These work as both plugs (for controller routes) and on_mount callbacks (for LiveViews).

require_organization_access checks that the current user has access to the organization specified by the :slug parameter in the URL. If access is granted, it updates the scope with the organization. If not, it redirects with an error.

require_organization_owner is an additional check that ensures the user has the :owner role for the current organization. This is used to protect admin-only routes.

Both helpers are available as plug functions and on_mount/4 clauses, allowing consistent authorization across controller and LiveView routes.

lib/my_app_web/user_auth.ex Reveal

	`-4,6 +4,7 @@ defmodule MyAppWeb.UserAuth do`
	`import Plug.Conn`
	`import Phoenix.Controller`

+	`alias MyApp.Organizations`
	`alias MyApp.Accounts`
	`alias MyApp.Accounts.Scope`

	`-193,6 +194,10 @@ defmodule MyAppWeb.UserAuth do`
	`on user_token.`
	`Redirects to login page if there's no logged user.`

+	* `:require_organization_access` - Checks that the user has
+	`access to the organization specified by the :slug parameter.`
+	`Redirects to login page if the check fails.`
+
	`## Examples`

	Use the `on_mount` lifecycle macro in LiveViews to mount or authenticate
	`-245,6 +250,47 @@ defmodule MyAppWeb.UserAuth do`
	`end`
	`end`

+	`def on_mount(:require_organization_access, params, _session, socket) do`
+	`organization =`
+	`Organizations.get_organization_by_slug(`
+	`socket.assigns.current_scope,`
+	`params["slug"]`
+	`)`
+
+	`if organization do`
+	`current_scope = Scope.put_organization(socket.assigns.current_scope, organization)`
+	`{:cont, Phoenix.Component.assign(socket, :current_scope, current_scope)}`
+	`else`
+	`socket =`
+	`socket`
+	`\|> Phoenix.LiveView.put_flash(`
+	`:error,`
+	`"Organization does not exist or you do not have access."`
+	`)`
+	`\|> Phoenix.LiveView.redirect(to: ~p"/organizations")`
+
+	`{:halt, socket}`
+	`end`
+	`end`
+
+	`def on_mount(:require_organization_owner, _params, _session, socket) do`
+	`organization = socket.assigns.current_scope.organization`
+
+	`if organization.user_role == :owner do`
+	`{:cont, socket}`
+	`else`
+	`socket =`
+	`socket`
+	`\|> Phoenix.LiveView.put_flash(`
+	`:error,`
+	`"Must have owner organization role to access this page."`
+	`)`
+	`\|> Phoenix.LiveView.redirect(to: ~p"/~/#{organization}")`
+
+	`{:halt, socket}`
+	`end`
+	`end`
+
	`defp mount_current_scope(socket, session) do`
	`Phoenix.Component.assign_new(socket, :current_scope, fn ->`
	`{user, _} =`
	`-279,6 +325,40 @@ defmodule MyAppWeb.UserAuth do`
	`end`
	`end`

+	`@doc """`
+	`Plug for routes that require the user to have access to an organization.`
+	`"""`
+	`def require_organization_access(conn, _opts) do`
+	`organization =`
+	`Organizations.get_organization_by_slug(`
+	`conn.assigns.current_scope,`
+	`conn.path_params["slug"]`
+	`)`
+
+	`if organization do`
+	`current_scope = Scope.put_organization(conn.assigns.current_scope, organization)`
+	`assign(conn, :current_scope, current_scope)`
+	`else`
+	`conn`
+	`\|> put_flash(:error, "Organization does not exist or you do not have access.")`
+	`\|> redirect(to: ~p"/organizations")`
+	`\|> halt()`
+	`end`
+	`end`
+
+	`def require_organization_owner(conn, _opts) do`
+	`organization = conn.assigns.current_scope.organization`
+
+	`if organization.user_role == :owner do`
+	`conn`
+	`else`
+	`conn`
+	`\|> put_flash(:error, "Must have owner organization role to access this page.")`
+	`\|> redirect(to: ~p"/~/#{organization}")`
+	`\|> halt()`
+	`end`
+	`end`
+
	`defp maybe_store_return_to(%{method: "GET"} = conn) do`
	`put_session(conn, :user_return_to, current_path(conn))`
	`end`

Database migration

The migration creates two tables: organizations and organizations_users .

The organizations table has a UUID primary key, a name, and a case-insensitive slug (using the citext type) with a unique index.

The organizations_users table uses a composite primary key of organization_id and user_id , with a role field. Both foreign keys are set to cascade deletes, so removing a user or organization automatically cleans up the memberships.

priv/repo/migrations/0001_add_organizations_tables.exs Reveal

	`-0,0 +1,30 @@`
+	`defmodule MyApp.Repo.Migrations.AddOrganizationsTables do`
+	`use Ecto.Migration`
+
+	`def change do`
+	`create table(:organizations, primary_key: false) do`
+	`add :id, :binary_id, primary_key: true`
+	`add :name, :string, null: false`
+	`add :slug, :citext, null: false`
+
+	`timestamps()`
+	`end`
+
+	`create unique_index(:organizations, [:slug])`
+
+	`create table(:organizations_users, primary_key: false) do`
+	`add :role, :string, null: false`
+
+	`add :organization_id, references(:organizations, type: :binary_id, on_delete: :delete_all),`
+	`primary_key: true`
+
+	`add :user_id, references(:users, type: :binary_id, on_delete: :delete_all),`
+	`primary_key: true`
+
+	`timestamps()`
+	`end`
+
+	`create index(:organizations_users, [:organization_id])`
+	`create index(:organizations_users, [:user_id])`
+	`end`
+	`end`

Organizations

Related

Jump to file