Creating Helper Functions5:35 with Alena Holligan
To make the authorization checks easier throughout our system, we should create a few helper functions called Guards. These will block requests that are not authorized.
We've created a handful of helper functions that allow us 0:00 to reuse code making our applications easier to maintain. 0:04 For the authorization system of our application we're going to rely heavily on 0:08 these helper functions. 0:13 When dealing with authorization helper functions they're sometimes referred to as 0:14 guards. 0:19 A guard is a tool that allows us to protect certain sections of 0:20 our application. 0:25 We're going to be creating guards to check the request and 0:27 only allow administrators to view a page. 0:30 This guard will make sure that a user is logged in and 0:33 that a logged in user is an administrator. 0:37 Finally, we'll create a guard to make sure that the logged-in user is the owner 0:40 of a book or a vote that they are trying to edit. 0:45 If you remember, from the last stage, 0:48 we built a function to check if a request requires authentication. 0:50 This function also used the isAuthenticated function. 0:55 Yes, both of these functions are guards as well. 1:00 We're going to build two more guards for admin. 1:04 This time, not only will we check that the user is logged in, 1:08 we also need to check for an admin role. 1:13 Let's start with the function to check if the user is an admin or not. 1:16 We'll name this, function isAdmin. 1:22 We'll start by checking if the user is authenticated, if not isAuthenticated. 1:30 Then we're going to return false. 1:42 If they're not logged in, they're not an admin. 1:46 If the user is authenticated we now need to check if they have an admin role. 1:49 Their role id should equal 1. 1:56 Like we did for our get authenticated user. 1:59 We can use a session. 2:05 We start with the global, session and 2:08 the we can return, session, get. 2:14 Auth_roles. 2:22 And we'll see if this equals 1. 2:26 This return should give us true or false, 2:30 depending upon whether our auth_roles equals 1 or not. 2:33 Now we can create the guard that requires the user to be an administrator or 2:39 gives an error and redirects the user. 2:44 We'll create a new function and we'll name this requireAdmin. 2:49 We can use the isAdmin function to tell us if the user is an admin. 2:57 if not isAdmin, 3:02 Then we're going to use the global 3:09 $session, and we're going to 3:14 set $session->getFlashBag()->add('error', 3:18 'Not Authorized'). 3:26 And then we'll redirect to login.php. 3:30 Now on any page where we require administrative privileges we can simply 3:41 add requireAdmin to the top of the page, and it will handle everything for us. 3:46 There's one more guard that we want to add. 3:52 We want to set up a function to check if the user who is 3:55 logged in is the owner of a book or a vote. 4:00 This function will accept a single property the id we're trying to match, 4:04 and then it will get the current logged in user for comparison. 4:10 So we'll add a function, and we'll name it isOwner. 4:15 We'll accept the ownerId, And 4:22 then we'll start by checking if Not 4:30 isAuthenticated, And we'll return false. 4:35 If they're not logged in, they can't be the owner. 4:47 Then we can use global session. 4:52 And we're going to return a comparison of 4:58 ownerId, compared with session, 5:04 get, auth_user_id. 5:09 Now with this function, we can get the owner of the book, or 5:18 a vote from the database, and pass it to this function, 5:22 which will make sure that the authenticated user is the actual owner. 5:26 Now that our guards are set up, 5:30 we're ready to start using them in our application. 5:32
You need to sign up for Treehouse in order to download course files.Sign up