WEBVTT 00:00.410 --> 00:05.240 Okay, guys, I'd like to go back to the topic that's called authorization. 00:05.240 --> 00:12.620 I've been announcing this for a while now, so we've covered authentication previously so that you get 00:12.620 --> 00:19.670 the difference that authentication is verifying if you are who you say you are. 00:19.850 --> 00:25.580 On the other hand, authorization is after you are initially verified. 00:25.700 --> 00:31.970 Authorization is checking if you have permissions to do a certain operation. 00:33.020 --> 00:40.280 So in our case this might be are you allowed to go to the admin panel. 00:42.080 --> 00:43.760 So now I can do that. 00:43.760 --> 00:45.830 But we should verify that. 00:45.830 --> 00:50.480 And in the first place should I even see this link. 00:50.660 --> 00:58.820 If I am signed in I should not see this link unless I am an administrator. 00:59.030 --> 01:09.160 Now if I sign out, I don't see this link, but Still, we need more fine grained control over who can 01:09.160 --> 01:11.530 do what in the system. 01:11.530 --> 01:19.780 And well, this is where we will introduce the set authorization, which is role based. 01:19.810 --> 01:23.140 The shortcut for that is Rbac. 01:23.170 --> 01:26.980 It is role based access control. 01:27.010 --> 01:38.020 Let me create an authorization class inside the services and add all the typical stuff that we need 01:38.020 --> 01:42.340 which is app services namespace. 01:42.340 --> 01:46.270 And the class would be authorization. 01:47.410 --> 01:54.400 Now we're going to handle all the all the authorization stuff inside this simple class. 01:56.260 --> 02:02.500 So I'm going to add a function, not a function a method called check. 02:02.530 --> 02:10.780 And the way I'd like to organize that is we're going to be checking if you can do a specific action 02:10.780 --> 02:21.910 that is a string, and can you perform this action on a specific resource that's nullable. 02:22.150 --> 02:25.060 And it just returns Boolean value. 02:25.060 --> 02:27.850 So you can do that or you can't. 02:28.030 --> 02:31.420 Let me reformat that real quick. 02:33.790 --> 02:40.780 Now this method can get access to the user through the auth service, which we don't have the which 02:40.780 --> 02:47.680 we don't have to import because it is on the same namespace as the authorization class. 02:48.160 --> 02:52.720 So we are getting the user first now. 02:52.810 --> 03:00.550 Well, we can assume that if we are checking for some permissions then if you are not authenticated 03:02.050 --> 03:04.300 you just don't have the permissions. 03:04.300 --> 03:06.190 This is I'm sure of. 03:06.190 --> 03:15.690 And if we have a public page like this home page or posts page that everyone should be able to access, 03:15.690 --> 03:23.490 then there is no point in verifying the permissions in the first place because, well, anyone can access 03:23.490 --> 03:24.690 those sites. 03:24.690 --> 03:27.000 So that's our first assumption. 03:27.000 --> 03:28.530 You need to be authenticated. 03:28.560 --> 03:32.280 Now obviously you can customize that if you have different requirements. 03:32.520 --> 03:40.650 Next up, we might assume that if you are an admin you can do anything. 03:40.800 --> 03:43.170 Essentially the role is a string. 03:43.170 --> 03:46.560 So you can define any roles that you wish. 03:46.680 --> 03:50.520 So inside the user we've got this role column. 03:50.520 --> 03:52.410 So if you are an admin. 03:52.770 --> 03:55.260 Well we can grant you everything. 03:55.260 --> 03:58.080 Or maybe let's go with super admin. 03:59.820 --> 04:02.040 We immediately go with true. 04:02.040 --> 04:11.820 And now we can do more fine grained control depending on the action we're gonna have some specific logic 04:11.850 --> 04:16.490 either granting or not granting the permissions. 04:18.050 --> 04:26.570 So in frameworks like Laravel, you typically create additional classes that are called policies or 04:26.570 --> 04:28.040 you create gates. 04:28.040 --> 04:33.470 And this is similar to how gates are implemented in Laravel. 04:33.530 --> 04:36.140 Let's go with the default option here. 04:36.140 --> 04:40.220 So the default is you don't have access. 04:41.900 --> 04:44.030 Um I think I need a semicolon here. 04:44.060 --> 04:46.520 So by default you don't have an access. 04:46.520 --> 04:49.760 Then we might have an action that is called comment. 04:49.760 --> 04:51.980 So we just come up with those action names. 04:51.980 --> 04:53.330 I just made it up. 04:53.690 --> 04:59.810 And it's important to know what actions do we have because then we're going to be verifying them. 05:00.020 --> 05:03.560 So if you'd like to comment then we return. 05:03.560 --> 05:04.190 True. 05:04.220 --> 05:04.970 Why? 05:05.000 --> 05:11.150 Because if you already are authenticated, this means you can comment on posts. 05:11.450 --> 05:17.090 Next up, um, can you edit a post? 05:19.610 --> 05:24.440 Or also, can you delete a post so we can have multiple. 05:25.250 --> 05:34.730 Now in those cases, um, first we need to check if the resource is an instance of post. 05:34.790 --> 05:45.170 This means that a Post model needs to be passed in here, because if that's the case, then we need 05:45.200 --> 05:55.100 additional condition, which is we're going to verify if the current user ID is the same as the resource 05:55.460 --> 05:58.670 user ID, which we already know is a post. 05:58.670 --> 06:01.310 So it will have this column. 06:01.460 --> 06:06.560 Basically, this is making sure you are the owner of that post. 06:06.560 --> 06:07.790 You created it. 06:07.940 --> 06:22.450 Only then you can edit or delete it or alternatively if maybe you are an admin or super admin. 06:23.830 --> 06:27.610 So user role or maybe let's do it differently. 06:27.640 --> 06:29.140 We're going to do Inarray. 06:29.380 --> 06:39.490 And that user role needs to be either admin or super admin. 06:40.390 --> 06:43.390 If you are one of those well you can do anything. 06:43.420 --> 06:46.480 And also let's make sure that. 06:48.730 --> 06:51.550 We put that inside parentheses. 06:51.550 --> 06:58.240 And this here needs to be an array like this. 06:58.240 --> 07:02.020 Also I think I'm missing the post model import. 07:02.020 --> 07:04.630 So that's a longer rule. 07:04.630 --> 07:11.020 But you know we are really free to customize everything as we like. 07:11.290 --> 07:17.350 Next up can you create a post. 07:18.640 --> 07:21.010 Well um. 07:23.910 --> 07:28.980 I think that we should just return. 07:28.980 --> 07:29.700 True. 07:31.020 --> 07:31.950 Would you agree? 07:31.980 --> 07:33.150 Yeah, maybe. 07:33.690 --> 07:40.890 So let's put that to this one so everyone can create posts as why not. 07:41.190 --> 07:45.720 And then accessing the dashboard. 07:47.940 --> 07:50.550 Maybe let me put it this way. 07:50.550 --> 08:00.300 So if you'd like to access the dashboard you need to be an admin or super admin. 08:01.980 --> 08:03.540 I'm missing the function call. 08:03.540 --> 08:05.010 This is in array. 08:05.280 --> 08:09.780 Okay so those are our rules. 08:09.780 --> 08:15.210 We can maybe extract some of those into separate methods. 08:15.210 --> 08:23.940 Maybe checking if someone is an admin or super super admin should be extracted to at least a arrow function 08:23.940 --> 08:24.660 someplace. 08:24.660 --> 08:24.680 Place. 08:24.710 --> 08:27.230 Anyway, that's not important right now. 08:27.260 --> 08:30.200 What's important is that we have this class. 08:30.200 --> 08:30.650 Now. 08:30.650 --> 08:39.350 We can check for the permissions of the people and then maybe deny the access if they don't have those. 08:40.490 --> 08:40.970 Okay, guys. 08:40.970 --> 08:42.800 So that was the first method. 08:42.800 --> 08:49.610 It just told us if someone has or maybe doesn't have the permissions. 08:50.930 --> 08:55.340 Now we need another one that can be called verify. 08:55.340 --> 08:57.620 And this one is void. 08:57.620 --> 09:03.320 And what this would do is it will not only check for the permissions. 09:03.320 --> 09:05.780 That's why we need the same arguments. 09:06.860 --> 09:13.640 This method will also redirect to a specific error page if we lack the permissions. 09:13.790 --> 09:23.360 So this would be if static check where we pass the action and the resource. 09:23.360 --> 09:26.930 So if that's the case we go. 09:26.960 --> 09:30.400 Or maybe I'm gonna go with router. 09:30.400 --> 09:34.030 And this should be not unauthorized, but forbidden. 09:36.460 --> 09:40.690 Now let's go ahead and create this method inside the router. 09:41.770 --> 09:44.350 So we've got unauthorized 09:46.120 --> 09:49.630 and let's do forbidden. 09:50.530 --> 09:53.080 This would be 403 code. 09:55.360 --> 10:02.050 Let me jump to HTTP codes 403. 10:02.260 --> 10:02.800 Okay. 10:02.800 --> 10:12.460 So this should be thrown when you just don't have sufficient permissions to access the resource, which 10:12.460 --> 10:15.340 is perfectly our case. 10:15.670 --> 10:25.480 Now let me jump to 401 and create a 403 error quickly by copy pasting this one. 10:25.480 --> 10:29.410 And let's say 403 forbidden. 10:31.060 --> 10:32.680 And it is. 10:33.010 --> 10:34.450 You don't. 10:38.290 --> 10:40.990 You don't have permissions. 10:43.870 --> 10:46.690 To access this resource. 10:48.310 --> 10:48.970 Okay. 10:49.990 --> 10:53.500 I think this looks sensible. 10:53.620 --> 10:57.550 Now let's jump back to the authorization class. 10:58.600 --> 11:01.810 And essentially we are actually done. 11:01.810 --> 11:11.200 So we can use this check method for example in views and then decide if we want to display a link or 11:11.200 --> 11:13.270 not like this one the admin link. 11:13.960 --> 11:18.400 But this one would be actually used to limit the access. 11:18.400 --> 11:26.350 If someone, let's say, wants to go to the dashboard and they don't have the necessary permissions. 11:27.010 --> 11:33.100 And let's take a short break now, and we're going to be implementing all those authorization checks 11:33.100 --> 11:34.810 in the next video.