Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Adding Authorization Checks

4:52 with Alena Holligan and Brian Retterer

We now have all we need for authorization of the admin role as well as authorization of modifying and deleting only your own books. This is a pretty simple step at this point since we have our helper files.

  • 0:00

    We can now go back through our system, and

  • 0:02

    add authorization checks across all our pages.

  • 0:06

    For working with books,

  • 0:07

    we should make sure that the user is an owner of the book, or is an administrator.

  • 0:13

    Since we want to allow administrators to edit any book.

  • 0:17

    All of our checks will go directly after the inclusion of the bootstrap file.

  • 0:22

    I want to add a few more features to this authorization.

  • 0:25

    First, let's use one of our guards to require admin of the pages we just created

  • 0:30

    on the admin.php page instead of just require auth, we want to require admin.

  • 0:37

    We also want to add this to the adjust role page.

  • 0:44

    I also want to set it up so you can not adjust your own role.

  • 0:49

    We can do this by wrapping the button logic in a new IF statement.

  • 1:03

    We want to confirm that the current user is not the owner of the record.

  • 1:08

    We can do this by using the is own or function,

  • 1:12

    if not is owner User ID.

  • 1:20

    Then, we want to show the buttons.

  • 1:31

    Let's view our admin page in the browser once more.

  • 1:36

    Let's register a second user.

  • 1:49

    Oops.

  • 1:50

    Let's check our requireAdmin function If we want to use

  • 1:56

    the session variable, we need to specify that we pull it from the global scope.

  • 2:07

    Now, let's go back to the browser.

  • 2:10

    Now, when we try to visit the Admin page, we get the not authorized error.

  • 2:15

    We can now go back through our system and

  • 2:17

    add authorization checks across all our pages.

  • 2:20

    Let's update the navigation to only show

  • 2:26

    the Admin Link to administrators.

  • 2:37

    If is admin Then we can show the admin link.

  • 2:49

    Let's also add authorization when editing a book.

  • 2:53

    When an attempt is made to edit a book we should make sure that the user

  • 2:56

    is the owner of the book or is an administrator,

  • 3:00

    since we want to allow administrators to edit any book, let's open it up php.

  • 3:07

    The require auth should already be in this file.

  • 3:10

    Next, after getting the book and making sure that it exists,

  • 3:14

    we should make our check for admin and owner.

  • 3:19

    If (!isAdmin() &&

  • 3:24

    !isOwner, ($book('owner_id')

  • 3:40

    Then, we're going to send a message.

  • 3:59

    And redirect to the book's page.

  • 4:09

    Now, let's go back to the browser.

  • 4:13

    The Admin link is no longer available.

  • 4:16

    If I go to the Book List and try to edit a book, I see the Not Authorized message.

  • 4:23

    Let's log out and log back in as our administrator account.

  • 4:37

    And now when I try to update a book, it works since I'm an administrator.

  • 4:42

    Now, it's your turn.

  • 4:43

    Take a little bit of time and add your own guards to the system and protect pages or

  • 4:47

    links from being viewed by unauthenticated and unauthorized people.

You need to sign up for Treehouse in order to download course files.

Sign up