Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
We now have all we need for authorization of the admin role as well as authorization of modifying and deleting only your own books. This is a pretty simple step at this point since we have our helper files.
We can now go back through our system, and
0:00
add authorization checks
across all our pages.
0:02
For working with books,
0:06
we should make sure that the user is an
owner of the book, or is an administrator.
0:07
Since we want to allow
administrators to edit any book.
0:13
All of our checks will go directly after
the inclusion of the bootstrap file.
0:17
I want to add a few more
features to this authorization.
0:22
First, let's use one of our guards to
require admin of the pages we just created
0:25
on the admin.php page instead of just
require auth, we want to require admin.
0:30
We also want to add this
to the adjust role page.
0:37
I also want to set it up so
you can not adjust your own role.
0:44
We can do this by wrapping the button
logic in a new IF statement.
0:49
We want to confirm that the current
user is not the owner of the record.
1:03
We can do this by using the is own or
function,
1:08
if not is owner User ID.
1:12
Then, we want to show the buttons.
1:20
Let's view our admin page
in the browser once more.
1:31
Let's register a second user.
1:36
Oops.
1:49
Let's check our requireAdmin
function If we want to use
1:50
the session variable, we need to specify
that we pull it from the global scope.
1:56
Now, let's go back to the browser.
2:07
Now, when we try to visit the Admin page,
we get the not authorized error.
2:10
We can now go back through our system and
2:15
add authorization checks
across all our pages.
2:17
Let's update the navigation to only show
2:20
the Admin Link to administrators.
2:26
If is admin Then we can
show the admin link.
2:37
Let's also add authorization
when editing a book.
2:49
When an attempt is made to edit a book
we should make sure that the user
2:53
is the owner of the book or
is an administrator,
2:56
since we want to allow administrators
to edit any book, let's open it up php.
3:00
The require auth should
already be in this file.
3:07
Next, after getting the book and
making sure that it exists,
3:10
we should make our check for
admin and owner.
3:14
If (!isAdmin() &&
3:19
!isOwner, ($book('owner_id')
3:24
Then, we're going to send a message.
3:40
And redirect to the book's page.
3:59
Now, let's go back to the browser.
4:09
The Admin link is no longer available.
4:13
If I go to the Book List and try to edit
a book, I see the Not Authorized message.
4:16
Let's log out and
log back in as our administrator account.
4:23
And now when I try to update a book,
it works since I'm an administrator.
4:37
Now, it's your turn.
4:42
Take a little bit of time and add your own
guards to the system and protect pages or
4:43
links from being viewed by
unauthenticated and unauthorized people.
4:47
You need to sign up for Treehouse in order to download course files.
Sign up