WEBVTT

00:00.920 --> 00:01.400
Okay, guys.

00:01.400 --> 00:09.020
So last time we've created this authorization class with two methods the verify and check.

00:09.290 --> 00:13.220
The check is basically making sure we can do something.

00:14.420 --> 00:20.780
It's based on an action and the resource it gets the current user and the verify.

00:20.810 --> 00:25.610
Well this is more let's call it catastrophic if anything goes wrong.

00:25.610 --> 00:32.360
So if you can't do something well it will just direct you to a forbidden page.

00:32.360 --> 00:40.160
So this should be used to block access, while the check should be used to check if you can see something

00:40.190 --> 00:42.260
to display a link, etc..

00:42.260 --> 00:49.850
Speaking about links, we should add a helper to the view that can decide if I should see maybe this

00:49.880 --> 00:51.920
admin link in the first place.

00:53.210 --> 01:00.330
So let's go our typical route of checking if The function exists.

01:00.330 --> 01:02.940
If it doesn't, we're going to use.

01:05.130 --> 01:05.640
This.

01:05.670 --> 01:08.670
Well we're going to create this function which returns boolean.

01:08.670 --> 01:15.240
And let me jump back to copy paste the arguments.

01:15.960 --> 01:20.940
So we get the resource the action and the resource.

01:20.940 --> 01:26.190
And this is simply calling the authorization.

01:29.100 --> 01:33.150
Check passing both the action and the resource.

01:33.180 --> 01:35.820
A quick reminder why we are doing that.

01:35.850 --> 01:43.980
We are doing this to add a global function that can be used inside a view where we would not like to

01:43.980 --> 01:49.110
have a separate section that would add the use statements for classes.

01:49.740 --> 01:51.840
Okay, let's use it then.

01:51.870 --> 02:01.460
Let me go to the main layout where we have this admin link, so we should display both when someone

02:01.460 --> 02:08.600
is authenticated, but this should only be displayed if the user is an admin.

02:09.740 --> 02:19.910
So we can check if the check for the specific resource which is dashboard I guess.

02:22.850 --> 02:24.800
Is allowed to the current user.

02:25.430 --> 02:29.450
If it is, we display a link, otherwise we don't.

02:33.200 --> 02:38.180
Okay, so maybe let's do things the same in all places.

02:38.180 --> 02:40.730
Let's add this PHP here as well.

02:40.910 --> 02:41.600
Okay.

02:41.600 --> 02:48.290
Um, so let me log out and let me grab something from the database.

02:48.290 --> 02:53.360
So now we're going to sign in as a user that is not an admin.

02:53.360 --> 02:59.040
So in my case that's John, for example, which has this John example.com email.

02:59.040 --> 03:03.900
And if I jump to the fixtures I can see his password.

03:03.900 --> 03:07.770
So this would be John example.com.

03:07.770 --> 03:10.500
And the password is password 123.

03:10.530 --> 03:11.550
Let me sign in.

03:11.580 --> 03:18.480
We don't see the admin link which confirms that our check function works fine.

03:18.480 --> 03:23.100
We can now specify who can see a specific link.

03:25.470 --> 03:25.800
All right.

03:25.800 --> 03:33.600
But can this John also visit the URL by just typing it in the browser.

03:33.600 --> 03:35.970
So this is slash admin dashboard.

03:35.970 --> 03:38.430
Well we can see that he can.

03:38.640 --> 03:43.980
So that's another protection that we need to add to the dashboard controller.

03:44.010 --> 03:50.850
Before anything even happens we should do authorization verify.

03:50.850 --> 03:55.120
And here just name the action that's dashboard.

03:55.150 --> 04:04.720
And at this point, well we see this page 403 forbidden as we just don't allow people who don't have

04:04.720 --> 04:07.030
permissions into this page.

04:09.040 --> 04:09.310
Okay.

04:09.310 --> 04:11.830
So I think this was really useful.

04:11.830 --> 04:20.800
It's time that we also add a real admin panel, not only the dashboard with some stats, but actually

04:20.800 --> 04:24.910
give users the way to add, edit or delete posts.

04:24.910 --> 04:32.530
And then we're gonna check the different actions inside the authorization class that we've defined,

04:32.560 --> 04:35.740
like editing, deleting posts, etc..

04:37.000 --> 04:42.220
Now also, since we were about to comment, um, you know what?

04:42.250 --> 04:43.240
One more thing.

04:43.270 --> 04:55.620
Let's jump to the show view where we have the form to comment And in this case, we actually should

04:55.620 --> 05:02.850
also check not only if the user is there, but also if someone can comment.

05:05.550 --> 05:07.320
And I think everyone can comment.

05:07.320 --> 05:11.490
But in case we change our mind then we can disable it.

05:11.520 --> 05:17.190
Maybe only the verified users would be able to comment things of this nature.

05:17.190 --> 05:20.070
I think we should have those checks everywhere.

05:20.100 --> 05:23.460
Another thing is this comment.

05:23.460 --> 05:27.450
Sorry not comment model but comment controller.

05:27.450 --> 05:33.900
And the first thing here should be the authorization verify comment action.

05:36.030 --> 05:42.960
Okay, now I think we've added the authorization into every place, which would require that.

05:43.050 --> 05:44.850
Now let's have a short break.

05:44.850 --> 05:50.010
And after that we're going to build the full admin panel with all the possibilities.