1
00:00:00,450 --> 00:00:02,620
Let's review the changes
we made in this section.

2
00:00:03,970 --> 00:00:06,820
You've seen the SQL server
object explorer window.

3
00:00:07,840 --> 00:00:11,276
Let's review the data in
the ASP.NET users table.

4
00:00:18,195 --> 00:00:20,640
Here's our seeded users.

5
00:00:20,640 --> 00:00:22,996
Notice that the passwords are hashed.

6
00:00:24,830 --> 00:00:27,454
Now let's review the changes
to the entry table.

7
00:00:33,422 --> 00:00:38,491
Here's our user ID column, and
notice that each row has a value populated

8
00:00:38,491 --> 00:00:44,080
representing the user ID that owns or
is associated with that entry.

9
00:00:44,080 --> 00:00:45,600
Let's close both of those tabs.

10
00:00:47,470 --> 00:00:49,950
Switch to solution explorer.

11
00:00:49,950 --> 00:00:52,680
Expand controllers and
open the entries controller.

12
00:00:53,780 --> 00:00:58,206
Now let's set a break point inside each
of the entries controller action methods.

13
00:01:01,317 --> 00:01:05,461
I'll press F9 to set a break point
here just inside of the index action

14
00:01:05,461 --> 00:01:10,048
method Scroll down to Add.

15
00:01:15,145 --> 00:01:17,641
Then the Post version
of Add action method.

16
00:01:22,866 --> 00:01:23,876
Edit.

17
00:01:26,372 --> 00:01:27,800
And edit post.

18
00:01:32,130 --> 00:01:36,960
Delete, and the last one,
the delete post action method.

19
00:01:38,780 --> 00:01:40,870
Then I'll press F5 to debug the app.

20
00:01:43,854 --> 00:01:45,920
Here's our sign in page.

21
00:01:45,920 --> 00:01:50,670
If you look up in the address bar, notice
this green lock and the word Secure.

22
00:01:51,880 --> 00:01:55,750
This tells us that we're using HTTPS and
SSL.

23
00:01:57,900 --> 00:01:59,269
I'll go ahead and sign in.

24
00:02:06,386 --> 00:02:10,906
And just inside of the index action
method we're getting ready to call

25
00:02:10,906 --> 00:02:14,517
the git user ID method on
the User.Identity property.

26
00:02:16,240 --> 00:02:19,950
Press F10,
if we hover over the user ID variable,

27
00:02:19,950 --> 00:02:22,340
we can see the user ID from my account.

28
00:02:23,430 --> 00:02:29,320
Now, we're gonna pass that user ID into
the Git list entries repository method.

29
00:02:29,320 --> 00:02:32,750
This allows the repository to
filter the list of entries

30
00:02:32,750 --> 00:02:35,670
to the ones that are associated
with my account.

31
00:02:35,670 --> 00:02:36,800
And here's my entries.

32
00:02:37,810 --> 00:02:39,377
Let's try adding an entry.

33
00:02:42,488 --> 00:02:46,697
Inside of the Add Action method,
here we're getting my UserID, again, and

34
00:02:46,697 --> 00:02:49,950
we're setting
the viewModel.Entry.UserID property.

35
00:02:51,120 --> 00:02:55,870
Let's view the source of the page by right
clicking and selecting view page source.

36
00:02:57,060 --> 00:02:58,452
I'll make this slightly larger.

37
00:03:00,983 --> 00:03:03,224
And scroll down a bit.

38
00:03:03,224 --> 00:03:06,470
Here's our first form, but
this is our sign out form.

39
00:03:06,470 --> 00:03:08,440
Let's scroll down a little bit further.

40
00:03:09,470 --> 00:03:10,760
Here's what I'm looking for.

41
00:03:10,760 --> 00:03:15,770
It's an input element of type
hidden that contains my UserId.

42
00:03:17,000 --> 00:03:21,170
Also notice that there's another
hidden input element right here.

43
00:03:22,790 --> 00:03:27,120
This one contains the anti-forgery
token that we're using to prevent

44
00:03:28,150 --> 00:03:31,670
CSFR or cross site request forgery.

45
00:03:31,670 --> 00:03:34,780
If this token wasn't
included as a form value, or

46
00:03:34,780 --> 00:03:39,860
if the token value was incorrect, the post
would fail upon submission to the server.

47
00:03:41,060 --> 00:03:43,881
Let's go ahead and fill out some values.

48
00:03:43,881 --> 00:03:48,466
So I'll select basketball for
activity and say I played for

49
00:03:48,466 --> 00:03:52,788
30 minutes at a medium intensity and
submit the form.

50
00:03:54,669 --> 00:03:57,571
Now, we are inside of
the add post action method.

51
00:03:57,571 --> 00:04:03,000
Lets step down, here we are about
to get the user ID for my account.

52
00:04:04,590 --> 00:04:08,230
And we're setting
the entries user ID property

53
00:04:08,230 --> 00:04:11,450
ignoring the one that was
sent from the client.

54
00:04:11,450 --> 00:04:15,020
This is to ensure that the user didn't
tamper with the hidden field value.

55
00:04:16,260 --> 00:04:20,576
Let's go ahead and add the entry, And

56
00:04:20,576 --> 00:04:25,373
press F5 to continue execution which
will redirect us back to the index page.

57
00:04:28,310 --> 00:04:32,444
And here we are with our message saying
that the entry was successfully added.

58
00:04:34,882 --> 00:04:39,110
Now, let's edit that same entry by
clicking the Edit button on its row.

59
00:04:41,130 --> 00:04:44,030
Here we are in the Edit Get Action Method.

60
00:04:44,030 --> 00:04:48,810
If we step down, we'll see the call
to the GetUserId method, again.

61
00:04:48,810 --> 00:04:53,210
And remember, we're passing in
the userId into the entriesRespository

62
00:04:53,210 --> 00:04:56,930
Get action method along with the id of
the entry that we're trying to retrieve.

63
00:04:58,210 --> 00:05:01,610
Doing this prevents users
from hacking the URL

64
00:05:01,610 --> 00:05:04,210
in an attempt to retrieve
another users entry.

65
00:05:05,420 --> 00:05:09,030
Let's change the activity and
submit the form.

66
00:05:11,956 --> 00:05:13,090
Let's step down.

67
00:05:14,680 --> 00:05:17,285
Here we are getting a reference
to our entry model, and

68
00:05:17,285 --> 00:05:19,277
here we're getting the user ID, again.

69
00:05:21,158 --> 00:05:26,293
This time, before we update the entry,
we're calling the entry's repository

70
00:05:26,293 --> 00:05:31,510
EntryOwnedByUserId method passing
in the entry.Id and the userId.

71
00:05:31,510 --> 00:05:36,025
We're doing this to ensure, again,
that the combination of the entry ID and

72
00:05:36,025 --> 00:05:37,075
user ID is valid.

73
00:05:39,153 --> 00:05:43,283
In here, we're going to override
EntryUserId property with the user

74
00:05:43,283 --> 00:05:44,684
Id of the current user.

75
00:05:46,855 --> 00:05:48,486
And after updating the entry,

76
00:05:48,486 --> 00:05:51,316
we're redirected back to
the entry's index route.

77
00:05:53,685 --> 00:05:56,922
In here is our message that our
entry was successfully updated.

78
00:05:59,128 --> 00:06:00,892
Now, let's delete that entry.

79
00:06:02,773 --> 00:06:05,285
Here's the delete Get action method, and

80
00:06:05,285 --> 00:06:10,032
again, we're passing that into the
entriesRepository.Get method in order to

81
00:06:10,032 --> 00:06:12,635
ensure that this entry
belongs to our user.

82
00:06:16,303 --> 00:06:18,270
We click the Delete button
to delete the entry.

83
00:06:19,980 --> 00:06:24,810
And in the delete post action method,
we're getting our user ID, again.

84
00:06:24,810 --> 00:06:28,608
And we're calling it
entriesRepository.EntryOwnedByUserId

85
00:06:28,608 --> 00:06:31,920
method to check to make sure
that this entry is, in fact,

86
00:06:31,920 --> 00:06:33,517
owned by the current user.

87
00:06:36,954 --> 00:06:39,210
Our entry has been deleted.

88
00:06:39,210 --> 00:06:43,051
And now we're back at our entry's list
page with the message letting us know that

89
00:06:43,051 --> 00:06:44,191
our entry was deleted.

90
00:06:46,269 --> 00:06:48,130
Now we're back to just four entries.