To make the authorization checks easier throughout our system, we should create a few helper functions. These will be able to be called at the top of the script page to block usage from people who are not authorized. All of these functions will require validating the JWT against the private key.
[MUSIC] 0:00 We've created a handful of helper functions that allow us to reuse code, 0:04 making our applications easier to maintain. 0:08 For the authorization system of our application, 0:12 we're going to rely heavily on these helper functions. 0:15 When dealing with authorization helpers, I tend to call them guards. 0:18 A guard is a tool that allows us to protect 0:23 certain sections of our application. 0:25 We're going to be creating guards to check the request and 0:28 only allow administrators to view a page. 0:31 This guard will make sure a user is logged in. 0:35 We will also be creating a guard to make sure the user is an administrator. 0:38 Finally, we'll be creating a guard to make sure that the logged-in user is 0:43 the owner of the book, or the vote, that they're trying to edit. 0:47 Our first goal is to create a guard that requires a visitor to be an administrator 0:52 in order to view that page. 0:56 Let's first create a function in our functions.php file called requireAdmin. 0:58 If you remember from the last stage, 1:10 we built a function to check if the request requires authentication. 1:12 This function also used the isAuthenticated function. 1:16 Yes, both of these functions are guards as well. 1:21 We're going to use the isAuthenticated guard just like we did in the requireAuth. 1:23 This makes sure that the request is authenticated. 1:35 If the request is not authenticated, 1:39 we'll redirect them back to the login page with an expired access token. 1:41 If the request is authenticated, we need to run 1:46 an additional check to see if the user is an administrator. 1:50 We'll use our decodeJwt. 1:58 And they read the is_admin part of the JWT. 2:04 This will tell us if a user is an administrator. 2:10 If they're not, let's redirect them back to the homepage with an error message. 2:14 This could also be an unauthorized notice page as well. 2:42 Let's surround the decode in a try-catch block. 2:46 Now if there's any problem reading from the cookie or the JWT, 3:12 we can clear the user and have them log back in. 3:15 Now, on any page where we require administrative privileges, we can simply 3:24 add the requireAdmin to the top of the page and it will handle everything for us. 3:29 Next, we want to create a second function to let us know if a user is 3:35 an administrator or not. 3:39 We've already built the majority of this function with the requireAdmin guard, but 3:41 will be returning true or false, instead of redirects. 3:46 If !isAuthenticated, Then we want to return false 3:59 If there's any problem reading from our cookie, we want to return false. 4:40 For the final step, we want to return the isAdmin. 4:51 But we want to make sure that this is either true or false. 4:59 So, let's cast this as a Boolean, just to be sure. 5:03 Finally, in our guard and helper setup, we want to set up a function to check 5:09 if the user who is logged in is the owner of a book or a vote. 5:14 This function will accept a single property, 5:18 the ID we're trying to match with the JWT. 5:21 First we check if !isAuthenticated, 5:35 We return false. 5:47 Next, we'll try to decode our JWT. 5:54 Now we're going to return the comparison of 6:23 the $ownerId and the $userId from the JWT. 6:28 Now with this function, we can get the owner of the book or 6:36 vote from the database and pass it to this function to make sure that 6:39 the authenticated user is the actual owner. 6:43 Now that our guards are set up, 6:47 we're ready to start using them in our application. 6:48
You need to sign up for Treehouse in order to download course files.Sign up