We now have all we need for authorization of the admin role as well as authorization of modifying and deleting only your own books. This is a pretty simple step at this point since we have our helper files.
We can now go back through our system, and 0:00 add authorization checks across all our pages. 0:02 For working with books, 0:06 we should make sure that the user is an owner of the book, or is an administrator. 0:07 Since we want to allow administrators to edit any book. 0:13 All of our checks will go directly after the inclusion of the bootstrap file. 0:17 I want to add a few more features to this authorization. 0:22 First, let's use one of our guards to require admin of the pages we just created 0:25 on the admin.php page instead of just require auth, we want to require admin. 0:30 We also want to add this to the adjust role page. 0:37 I also want to set it up so you can not adjust your own role. 0:44 We can do this by wrapping the button logic in a new IF statement. 0:49 We want to confirm that the current user is not the owner of the record. 1:03 We can do this by using the is own or function, 1:08 if not is owner User ID. 1:12 Then, we want to show the buttons. 1:20 Let's view our admin page in the browser once more. 1:31 Let's register a second user. 1:36 Oops. 1:49 Let's check our requireAdmin function If we want to use 1:50 the session variable, we need to specify that we pull it from the global scope. 1:56 Now, let's go back to the browser. 2:07 Now, when we try to visit the Admin page, we get the not authorized error. 2:10 We can now go back through our system and 2:15 add authorization checks across all our pages. 2:17 Let's update the navigation to only show 2:20 the Admin Link to administrators. 2:26 If is admin Then we can show the admin link. 2:37 Let's also add authorization when editing a book. 2:49 When an attempt is made to edit a book we should make sure that the user 2:53 is the owner of the book or is an administrator, 2:56 since we want to allow administrators to edit any book, let's open it up php. 3:00 The require auth should already be in this file. 3:07 Next, after getting the book and making sure that it exists, 3:10 we should make our check for admin and owner. 3:14 If (!isAdmin() && 3:19 !isOwner, ($book('owner_id') 3:24 Then, we're going to send a message. 3:40 And redirect to the book's page. 3:59 Now, let's go back to the browser. 4:09 The Admin link is no longer available. 4:13 If I go to the Book List and try to edit a book, I see the Not Authorized message. 4:16 Let's log out and log back in as our administrator account. 4:23 And now when I try to update a book, it works since I'm an administrator. 4:37 Now, it's your turn. 4:42 Take a little bit of time and add your own guards to the system and protect pages or 4:43 links from being viewed by unauthenticated and unauthorized people. 4:47
You need to sign up for Treehouse in order to download course files.Sign up