WEBVTT

1
00:00:01.659 --> 00:00:10.980
So, we got our event related routes and we're making sure that only authenticated, so logged

2
00:00:10.980 --> 00:00:14.740
in users can create, edit or delete events.

3
00:00:15.840 --> 00:00:22.880
Now of course, I also want to make sure that we can register for events, but before we

4
00:00:22.800 --> 00:00:29.320
do that, I want to add an extra check to the update and delete routes here.

5
00:00:30.160 --> 00:00:37.820
Because I want to make sure that only the user who created an event is able to actually

6
00:00:37.820 --> 00:00:39.720
edit or delete it.

7
00:00:41.320 --> 00:00:44.060
And there are different ways of achieving this.

8
00:00:44.400 --> 00:00:50.220
We could of course, again, simply ask in chat for help if you were not sure how to do that.

9
00:00:50.660 --> 00:00:58.080
I already know that I essentially want to go to my controller functions here in the

10
00:00:58.080 --> 00:01:03.100
events controller.js file and I want to add the appropriate check there.

11
00:01:05.920 --> 00:01:13.120
So here, after checking whether the received input data is valid, I want to check whether

12
00:01:13.120 --> 00:01:18.260
the currently logged in user is the same user who created an event.

13
00:01:19.800 --> 00:01:23.260
So of course, I don't want to do that here in the create function, but in the edit and

14
00:01:23.260 --> 00:01:24.400
delete functions.

15
00:01:25.460 --> 00:01:31.700
There I get the idea of the event I want to delete and I then want to extract the information

16
00:01:31.700 --> 00:01:33.820
to which user that event belongs.

17
00:01:34.080 --> 00:01:39.420
And then I want to check whether it's the same user as the user who created the event.

18
00:01:40.540 --> 00:01:45.840
Now what's important here though, is that we take a look at the database.js file.

19
00:01:46.560 --> 00:01:50.960
And if we do so, we can see that in this app here, which I built thus far, I'm actually

20
00:01:50.960 --> 00:01:57.100
not storing the information which user created an event in the events table.

21
00:01:59.180 --> 00:02:06.620
Now you might recall that when I planned this application, chat.gpt actually told me to

22
00:02:06.620 --> 00:02:07.940
store that information.

23
00:02:08.080 --> 00:02:16.160
It suggested that I store the creator ID in my event, but I haven't implemented that here

24
00:02:16.080 --> 00:02:16.460
yet.

25
00:02:17.520 --> 00:02:18.640
So I'll do so now.

26
00:02:18.820 --> 00:02:26.240
I'll add a user ID field here, which should be an integer, because the ID of my user is

27
00:02:26.240 --> 00:02:26.640
an integer.

28
00:02:28.240 --> 00:02:32.020
And then I'll also add a foreign key reference like this.

29
00:02:32.260 --> 00:02:37.680
And GitHub Copilot thankfully suggested this to me, that we refer to the ID in the users

30
00:02:37.680 --> 00:02:40.000
table here with that user ID field.

31
00:02:41.940 --> 00:02:47.700
Therefore, of course, we must make sure that we do store such a user ID when a new event

32
00:02:47.700 --> 00:02:48.460
is created.

33
00:02:49.160 --> 00:02:52.580
So we should go to the event.js file in the models folder.

34
00:02:52.880 --> 00:02:55.940
And when we create a new event, we need to store the user ID.

35
00:02:57.040 --> 00:03:05.720
So I'll simply select this and say store user ID in user ID field to update this code appropriately.

36
00:03:07.080 --> 00:03:11.580
We could do it manually, but since I need to change a couple of places, I'd rather use

37
00:03:11.580 --> 00:03:12.440
AI for that.

38
00:03:13.400 --> 00:03:20.940
I now extract a user ID property from the incoming object, and then I store that user

39
00:03:20.940 --> 00:03:24.020
ID here with those code adjustments.

40
00:03:24.640 --> 00:03:25.540
So I'll accept this.

41
00:03:27.200 --> 00:03:32.540
Now I just need to make sure that this user ID is passed to the create event function

42
00:03:32.540 --> 00:03:34.440
from inside the events controller.

43
00:03:36.440 --> 00:03:43.700
So there in the create function, when we call create event, we must make sure that

44
00:03:43.700 --> 00:03:48.500
the user ID is passed to this create event function in that object.

45
00:03:50.040 --> 00:03:56.300
So thankfully, again, GitHub Copilot is making the appropriate suggestion, assuming that

46
00:03:56.300 --> 00:04:02.700
we can extract the user from the request object and then the ID from that user.

47
00:04:03.240 --> 00:04:08.740
And that should be possible because we have the code that adds this user object to the

48
00:04:08.740 --> 00:04:09.600
request object.

49
00:04:10.380 --> 00:04:14.140
We have that code in the auth.js file.

50
00:04:16.039 --> 00:04:22.320
There, the decoded user, so the data we're extracting from the token, is stored under

51
00:04:22.320 --> 00:04:23.240
rec.user.

52
00:04:24.440 --> 00:04:28.860
So we should be able to extract that and then pass it to create event.

53
00:04:30.800 --> 00:04:35.320
So that should make sure that the user ID is stored along with the event.

54
00:04:37.700 --> 00:04:43.740
That then should also allow us to add an extra check that ensures that only the user who

55
00:04:43.740 --> 00:04:46.300
created an event can add it or delete it.

56
00:04:47.200 --> 00:04:53.560
So to check whether the user who tries to add it or delete an event is the user who

57
00:04:53.560 --> 00:05:00.000
created it, we need to add an appropriate check to the edit and the delete item functions

58
00:04:59.980 --> 00:05:00.000
.

59
00:05:00.000 --> 00:05:08.400
here in the events controller.js file. And as always, one way is to simply highlight the entire

60
00:05:08.400 --> 00:05:25.580
function and then ask GitHub Copilot to do it. Check that userId in rec.user is the same as the

61
00:05:26.080 --> 00:05:38.840
ID or as the userId stored for the event that's about to be edited. Let's see whether that works.

62
00:05:40.880 --> 00:05:47.500
Generating some code, some changes. And as it seems, it doesn't change anything here at the

63
00:05:47.500 --> 00:05:53.620
beginning of the function, but then it extracts the event with the getEventById function,

64
00:05:53.680 --> 00:05:59.740
checks if maybe no event was found, in which case a 404 error is returned. But if an event was found,

65
00:05:59.920 --> 00:06:05.740
the userId stored for that event is compared to the userId in the request that if it's not equal,

66
00:06:06.200 --> 00:06:13.040
we also send back an error message. Otherwise, the event is updated accordingly.

67
00:06:13.900 --> 00:06:20.360
So that looks good to me and I'll accept that change. And with that, we should have the

68
00:06:20.240 --> 00:06:28.440
appropriate protection in place. Now, getEventById is a function that is imported from the models

69
00:06:28.440 --> 00:06:35.460
folder from the event.js file, so that should be available. We can now add a similar check

70
00:06:35.460 --> 00:06:43.400
here in delete item and say also check userId. Let's see if that's enough, if there is still

71
00:06:43.280 --> 00:06:52.980
enough context stored by GitHub Copilot. It looks like it is. It gets the event here as well,

72
00:06:53.280 --> 00:07:00.340
gives us a 404 error if it's not found, and otherwise checks the userId. So that is also

73
00:07:00.340 --> 00:07:10.060
looking pretty good. Now, maybe here I want to return a different error message. If we don't

74
00:07:09.940 --> 00:07:15.600
succeed in deleting the event, I actually want to return a 500 error and say event not deleted,

75
00:07:15.700 --> 00:07:21.620
because it technically wasn't not found, it failed to be deleted, which is a different error.

76
00:07:21.880 --> 00:07:22.960
So I guess that makes sense.