Adding Authorization Checks3:17 with Alena Holligan
We now have all we need for authorization of the admin role as well as authorization of modifying and deleting only your own books. This is a pretty simple step at this point since we have our helper files.
I want to add a few more restrictions to our admin functionality. 0:00 First, let's use one of our guards to requireAdmin in the adjustRole page. 0:04 Then back on the admin page, we're going to change requireAuth to requireAdmin. 0:12 I also want to restrict access so that you cannot adjust your own role. 0:18 We can do this by wrapping the button logic in a new conditional statement. 0:24 We can use the isOwner function to check if the current 0:41 user ID in the loop matches the logged in user. 0:46 So if isOwner, and we'll 0:50 pass in the user['id']. 0:55 If the user in the loop matches 1:00 the current user that's logged in, 1:04 we're going to add a new item, 1:09 span class ="btn btn-xs btn-default" 1:13 And then, Cannot alter your own role. 1:21 We're going to add an else, And then we can use the rest of our buttons. 1:32 And finally, endif. 1:41 Let's view our admin page in the browser once more. 1:53 Great, we see that we cannot alter our own role. 1:59 And if we log out and we go to the admin page, We're not authorized. 2:04 And if we log in as our user, And 2:12 try to go to the admin page, again, we're not authorized. 2:17 We can now go back through our system and 2:23 add authorization checks across all of the pages. 2:26 Let's update the navigation to only show the admin link to administrators. 2:29 After my account, if isAdmin, 2:38 We're going to add a link, so let's duplicate this line. 2:47 We can end our if, And then make changes. 2:55 Link to admin and show Admin. 3:03 And finally, we're ready to go back to our book list page and 3:09 update who has access to edit or delete a book. 3:13
You need to sign up for Treehouse in order to download course files.Sign up