Authorizing Deletions

Okay, so really we should secure everything. 0:00 But I wanna give you a taste first of how to do that. 0:03 So remember that our repositories expose all the HTTP verbs by default. 0:06 Our security that we just set up says that if you're logged in, 0:11 you can do whatever you want to any resource. 0:14 That's probably not a good idea. 0:16 Let's solve the delete example of reviews really quick, and 0:19 then we'll swing back later and get the rest of them secured. 0:21 Okay, so remember our review repository here is a paging and 0:25 sorting repository, and it overrides the CrudRepository. 0:32 So let's go ahead and look at some methods that are coming from the CrudRepository. 0:37 So here they are, so there are these two. 0:42 Let's go ahead and add these to this delete ID and delete entity. 0:44 We're gonna override both of these. 0:47 So, the first thing that we want to do is we want to grab one with the ID 0:50 which is this long one here. 0:55 And we're gonna mark it with the PreAuthorize annotation. 0:57 And this PreAuthorize annotation takes an element that explains the security 1:02 required in a Spring Security flavor of the Spring Expression Language or SpEL. 1:08 So it's pretty handy, and 1:13 it can be a wee bit foreign looking if this is your first time seeing it. 1:15 So, remember to check the teacher's notes, 1:18 if you start doing that mind blown animated gif, memey thing, right? 1:20 So, what we wanna do here is allow for deletes, right? 1:25 If the reviewer is the current authenticated user, 1:28 he should be able to delete it or she should be able to delete it. 1:31 So that seems pretty straightforward, right? 1:34 So we first need to get access to this repository. 1:36 Now since these repos are available for injection, we can do this. 1:40 We can use @reviewRepository, and 1:44 that's gonna get whatever is currently wired, just like we would with auto wired. 1:46 And then we're gonna use the method findOne which is on this, right, so 1:51 we're gonna say findOne. 1:55 And what we want to do is we wanna use whatever this long value that was 1:56 passed in. 2:00 I'm gonna go ahead I'm gonna just name this to be id. 2:00 And we wanna programmatically access what this is in our statement here. 2:04 So what we need to do is we need to first expose that. 2:10 So we're gonna say @Param, which is param, 2:14 lets you do a query parameter there, and we're gonna mark that as id. 2:17 And now we can access that in our statement here. 2:23 So we're gonna say find one, and programmatically, 2:26 to access that you do #id, okay, and now we should have access to review. 2:30 So let's get ahold of the reviewer, right. 2:36 And that's really calling getReviewer, right. 2:40 And from here we wanna call the username or getUsername and what we want 2:43 to do is we want to check if it's equal to whatever we have from authentication. 2:49 And that's an object that's just passed there, .name. 2:53 You know what, though? 2:57 What happens if this is not found? 2:58 We're gonna get that dreaded null pointer exception, aren't we? 3:02 Now thankfully, there's a handy way to express that concern. 3:05 if you follow an object with a question mark, it will make it optional and 3:09 it will stop any sort of chaining, right. 3:14 So that's optional, so it won't go into the next, right. 3:16 So we know what happens if we get a review back but 3:21 the reviewer is not there, we'd better make that optional, too. 3:24 Okay, so the delete entity version is pretty similar. 3:28 You just already have the entity, right? 3:31 So, this guy here is very similar to this one. 3:33 You just already have this. 3:36 So, let's do this. 3:37 Why don't you give it a go? 3:38 Why don't you try that, and see if you can do it? 3:39 Pause me, and then un-pause me, when you're done. 3:41 Okay, wanna see how I did it? 3:43 All right, so what I did, I said, @PreAuthorize. 3:46 And I added, for this review, I added a new Param, and I called it review, okay? 3:50 So I said, @review.reviewer, and 3:57 then I made sure that there was a username. 4:02 And then I checked to see if it was equal to the authentication.name. 4:08 Okay, so let's see if it's working. 4:14 Let's go ahead and we will come and reboot the server. 4:16 And if we come over here, we should still be logged in as Jacob, 4:21 and let's go take a look at the reviews. 4:26 So here, this is Jacob's here, so his review is review number two. 4:35 Here's a review from Mike Norman. 4:39 So his rating was 2, he wanted more Java 9. 4:41 Okay so let's go ahead and let's look at that review, and 4:45 let's go ahead and let's log back in as Jacob here. 4:52 And let's make Jacob try to delete that review. 4:56 Now if everything's good, so I switched this delete and 5:01 I have the header of Jacob logs in. 5:04 If everything is good that we did, he should get blocked, Jacob should not now 5:06 be able to do that, even though he was able to just before this. 5:10 Awesome, access is denied, 403 forbidden. 5:13 Cool, so let's just go ahead and verify that Jacob can delete his own, 5:17 remember he was at 2. 5:21 So let's go ahead inside this. 5:22 Boom, and we got 204 No Content. 5:24 So Jacob was allowed to delete his own, and let's just make sure that it's gone. 5:26 Bam, so yeah, 404 not found on review number two. 5:31 Awesome, we did it. 5:35 So one thing I thought about here right now is that the reviewer, and 5:36 only the reviewer, can delete the review. 5:39 Now, we all know the web isn't the nicest of places, right? 5:42 So we probably wanna make sure that if an administrator on the site saw a bad review 5:46 from a bad reviewer, that they could delete it immediately, right? 5:49 Now just because we use the name Role Admin doesn't mean it 5:53 does anything at all, so why don't we make it do something? 5:56 So one thing that we can do is we can use 6:00 the role annotation, this hasRole. 6:05 hasRole, and then ROLE_ADMIN or that, we'll do it for 6:09 here too, hasRole, ROLE_ADMIN or, first. 6:14 Cool, now if I see something, since I have the admin role, 6:19 I can swing in and delete the review from the offensive person. 6:24 Now, there are some more handy expressions that Spring security introduces that you 6:30 probably want to check out. 6:34 I was thinking about something that we 6:35 could do that I know our clients would like. 6:37 How about instead of manually adding a reviewer to the reviews, 6:39 why not just set the currently logged in user? 6:43 Since we know they're authenticated, 6:45 and we know who is making the post, it should be relatively easy, right? 6:47 I mean, I've been meaning to show you about events anyway. 6:51 So let's take a quick break and then I'll dive right into that. 6:54