WEBVTT 00:03.730 --> 00:05.260 Hey there, everyone that they share. 00:05.260 --> 00:08.470 And in this video, as you can see, there is something new being introduced. 00:08.470 --> 00:10.480 And we are going to have a discussion on this. 00:10.600 --> 00:16.060 After this video, you will get much more clarity and you will have the sample code as well to understand 00:16.060 --> 00:19.750 that how you can provide different kind of roles in an application. 00:19.750 --> 00:25.030 Maybe you want to have admin roles, manager roles, sales roles, and you can have as many roles as 00:25.030 --> 00:25.360 you wish. 00:25.360 --> 00:28.630 There is no such criteria and we'll be writing a robust code for that. 00:28.810 --> 00:32.410 So as you can see there, we have got slash admin slash users. 00:32.410 --> 00:37.930 Obviously this is a route on which user can get all the list of the whatever the users are enrolled 00:37.930 --> 00:39.160 on his website. 00:39.160 --> 00:41.350 And similarly, we'll talk more about this later on. 00:41.350 --> 00:46.780 Right now, this is the only goal that I want to have a special route slash admin slash users, which 00:46.780 --> 00:50.500 gives me the detail of all of the users which are registered on my website. 00:50.530 --> 00:52.480 Now the code part is really, really simple. 00:52.480 --> 00:54.040 Couldn't be much more simpler than this. 00:54.040 --> 00:55.690 Absolutely ridiculous simple. 00:55.780 --> 01:00.850 So we'll be working on this inside the controller itself because there is no need of separate controller 01:00.850 --> 01:01.420 for this one. 01:01.420 --> 01:05.110 This is also playing around with the same model, so we'll be just working on that. 01:05.110 --> 01:10.120 So I have just duplicated this and obviously I'll shrink the above one just like always and I'll work 01:10.120 --> 01:11.020 on with this one. 01:11.650 --> 01:17.830 Now this is going to be an admin route, so I usually recommend beginners whenever there is an admin 01:17.830 --> 01:21.190 route or a manager route, just go ahead and right, start with the admin. 01:21.190 --> 01:26.140 So what do you want to call this one as simply we're going to call this one as simply a route which 01:26.140 --> 01:27.160 gives you all users. 01:27.160 --> 01:32.140 So let's go ahead and say this one is admin all users. 01:32.140 --> 01:36.220 Now usually you are going to find in the big organisation they don't write it like that that admin, 01:36.220 --> 01:39.460 all users or manager, all user, they just write it as all user. 01:39.460 --> 01:44.140 But for a beginner who is just getting started with a complex application, it will definitely help 01:44.140 --> 01:46.930 you a lot if you just write it as admin all user. 01:46.930 --> 01:49.330 And again, there is no such harm in writing in this way. 01:49.330 --> 01:54.550 Even in the bigger organisation, it makes just more clarity that this controller was specifically being 01:54.550 --> 01:56.590 made to be used by admin only. 01:56.590 --> 02:01.660 But in case you are using for manager or anything, you'll know that which kind of a sensitive data 02:01.660 --> 02:03.490 that it is exposing to everyone. 02:03.520 --> 02:05.080 Now let's go ahead and clean up everything. 02:05.080 --> 02:07.090 We don't want anything from inside. 02:07.090 --> 02:09.280 We just need a boilerplate template here. 02:09.400 --> 02:13.210 Okay, so once we have this, the goal is really simple. 02:13.210 --> 02:14.710 I want to send all the data. 02:14.710 --> 02:21.220 So all I have to go is user dot and I have to say just defined now in the find, if you don't pass on 02:21.220 --> 02:24.010 any parameter, you pass it like this or you just say empty. 02:24.010 --> 02:28.930 Which also means by the way, this, that means it will just look for everybody and we'll find everybody. 02:28.930 --> 02:30.520 So let's go ahead and hold this one. 02:30.520 --> 02:32.230 So we're going to call this one as users. 02:32.230 --> 02:33.370 It is really important. 02:33.370 --> 02:37.570 And since database is always on another continent, we're going to go ahead and evade this one. 02:37.570 --> 02:43.900 So this users is an array of all the values that it was able to find inside this user model. 02:44.140 --> 02:47.950 And then all we got to do is simply say red dot status. 02:47.950 --> 02:50.560 And we have to say this time the status is good. 02:50.560 --> 03:00.790 So 200 dot JSON and send an object of success is true and let's go ahead and send all of these users. 03:00.790 --> 03:01.630 So there we go. 03:01.720 --> 03:06.520 Told you it's really possibly the simplest of the case that you can design and write that. 03:06.520 --> 03:08.500 Now let's go ahead and work on with the Roots. 03:08.500 --> 03:12.070 So what we're going to do is we are going to go ahead and set up these admin routes. 03:12.070 --> 03:16.960 I'll hit an enter here because these are our routes which are a little bit different from all the above 03:16.960 --> 03:17.560 routes. 03:17.710 --> 03:20.860 So how the route actually looks like, we already discussed that. 03:20.860 --> 03:24.580 It says slash admin slash users. 03:24.580 --> 03:26.080 So this is how you get that. 03:26.350 --> 03:28.330 Obviously user is also logged in. 03:28.330 --> 03:31.210 That is also great, but we don't want anybody to access that. 03:31.210 --> 03:33.910 We want only specific user to access that. 03:33.910 --> 03:37.060 So let's first save this and see whether this is working or not. 03:37.210 --> 03:38.140 Of course, my bad. 03:38.140 --> 03:40.120 I forgot that I need to import all that. 03:40.120 --> 03:43.360 Many users go into the route at the very top. 03:43.360 --> 03:44.950 Bring it up here again. 03:44.950 --> 03:46.450 This is just the ordinary method. 03:46.450 --> 03:47.980 Nothing special on this one. 03:48.250 --> 03:52.690 Let's go ahead and save this one and see if we are able to grab this admin route up here. 03:52.690 --> 03:58.990 So copy that and go up here and let's make a clone on this one or copy this one. 03:58.990 --> 04:02.980 So we're going to go ahead and say this is admin, so we're going to say all user. 04:03.490 --> 04:04.930 So save that. 04:05.440 --> 04:08.740 And this one should be this one is actually a regular get route. 04:08.740 --> 04:10.180 We don't send anything. 04:10.180 --> 04:18.070 So we're going to say this is a get route and let's change this one to get save this one, change this 04:18.070 --> 04:20.140 one to slash admin slash users. 04:20.140 --> 04:25.240 I'm logged in, so I'm sending this one and I'm receiving an array of all the users who are registered 04:25.240 --> 04:26.170 in my application. 04:26.170 --> 04:28.300 But I don't want this case to happen. 04:28.300 --> 04:32.410 I want only certain users to actually be able to grab this data. 04:32.410 --> 04:37.000 So what I'll do in the very first time, actually there is no way of creating an admin. 04:37.000 --> 04:42.730 You have to manually go head into the database and mark at least somebody, one guy to be admin as well. 04:42.730 --> 04:46.240 So what we're going to do is we are going to have this three as an admin. 04:46.240 --> 04:52.180 So notice right now I'll go into the role itself and I'll go ahead and change his role instead of saying 04:52.180 --> 04:56.080 it user I'm going to go ahead and say that you are an admin now. 04:56.290 --> 04:58.540 So again, admin. 04:58.540 --> 04:59.260 There we go. 04:59.680 --> 04:59.840 Okay. 04:59.920 --> 05:01.870 So now I have manually verified. 05:02.050 --> 05:03.280 I'll refresh this one. 05:03.400 --> 05:06.130 So the tree is still. 05:07.230 --> 05:07.800 User. 05:07.800 --> 05:10.100 So let me go ahead and change that again. 05:10.110 --> 05:16.110 Probably I forgot to save, so I'll go ahead and change this one again one more time to admin and I'll 05:16.110 --> 05:17.160 update this one. 05:17.160 --> 05:18.870 Forgot to update last time. 05:19.140 --> 05:20.220 Refresh this one. 05:20.610 --> 05:20.850 Okay. 05:20.940 --> 05:25.280 So this is something which is specifically just for the admin. 05:25.290 --> 05:29.850 Now how can I figure out that whether the user is admin or a regular user? 05:29.880 --> 05:36.450 Of course I have a token which gives me the ID and through that ID I can extract the user and I can 05:36.450 --> 05:39.420 ask What role do you have in the database itself? 05:39.420 --> 05:46.380 So if I go ahead and say, Hey, whatever the user via the ID, I get that and I simply say user role. 05:46.380 --> 05:48.870 It will give me either the admin or the user. 05:49.260 --> 05:50.730 That is absolutely fine. 05:50.910 --> 05:55.680 Now what I can do now further on this, that I have to check this one and have to design a kind of a 05:55.680 --> 06:00.540 middleware which in betweens previously we were injecting the information in the logged in that you 06:00.540 --> 06:01.140 are logged in. 06:01.140 --> 06:06.390 I'm checking that and I'm also injecting some information this time I'll just verify from the database 06:06.390 --> 06:07.890 itself that who you are. 06:07.890 --> 06:10.500 Are you an admin, a manager or a role itself? 06:10.590 --> 06:12.240 So how we're going to do that? 06:12.330 --> 06:15.240 We're going to go up here and we need to design the method. 06:15.240 --> 06:20.490 So we're going to go ahead and check this one, something like this, something like custom role, and 06:20.490 --> 06:21.660 we can actually design it. 06:21.660 --> 06:22.830 Something like is logged in. 06:22.830 --> 06:25.470 We can actually go ahead and say something like is admin? 06:25.470 --> 06:27.270 That is also absolutely fine. 06:27.270 --> 06:29.640 There is no wrong, nothing harm in that case. 06:29.640 --> 06:36.990 But what we can do is we can actually design a method, something like this custom role, and from this 06:36.990 --> 06:40.020 we can actually pass on an information, something like admin. 06:40.020 --> 06:44.880 This will help us to write just a one middleware and from the route itself we can pass on the information, 06:44.880 --> 06:50.040 hey, this custom role or this route is for admin only, or this root is for manager only. 06:50.040 --> 06:52.650 So this actually makes the code a little bit more robust. 06:52.650 --> 06:57.330 Again, if you want to be just going with the is logged in way out 100% doable. 06:57.330 --> 07:01.710 You can do this, but I prefer this one which says custom role and manager like this. 07:01.710 --> 07:03.690 So let's go ahead and work on with that. 07:03.690 --> 07:05.550 So I'll go into my middleware. 07:06.360 --> 07:09.750 And inside this middleware, I will export a method which says custom roles. 07:09.750 --> 07:17.670 So I'm going to go ahead and say export dot custom role and inside the custom role or roles however 07:17.670 --> 07:19.110 you like to go work with that. 07:19.110 --> 07:20.400 I'll go like this. 07:20.970 --> 07:21.650 Come on. 07:21.660 --> 07:22.410 There we go. 07:24.190 --> 07:25.270 And there we go. 07:26.020 --> 07:31.360 Now, in this custom role, since we are passing on a value a manager, this can you can treat this 07:31.360 --> 07:37.060 as a simple string that is 100% valid or you can treat this entity as an array as well. 07:37.300 --> 07:43.450 The beauty about treating this as an idea or converting this entire method as accepting array is that 07:43.450 --> 07:47.410 you can use some of the inbuilt method of the array and you can get away easily with that. 07:47.410 --> 07:52.720 It these areas have method as something like dot includes or something and if we don't have to manually 07:52.720 --> 07:56.740 check all these things, converting everything into lowercase, take care of the things, there is a 07:56.740 --> 08:02.020 lot more problem in the string itself so we can just get away with that and all we got to do in order 08:02.020 --> 08:05.740 to make sure that this is an array we can actually market as an array like this. 08:05.740 --> 08:10.720 Or what you can do is you can just spread this one and say that, Hey, you are sending me a roll, 08:11.020 --> 08:11.800 that's it. 08:11.800 --> 08:15.970 And rather it would be better if we call this one as roles because we are expecting an array. 08:15.970 --> 08:18.610 Although technically this is not area, we are just getting away. 08:18.610 --> 08:22.000 This area will have just one value itself, which is the admin itself. 08:22.030 --> 08:26.650 Because you are passing me here, just the admin and we are doing all this to get away with the easier 08:26.650 --> 08:26.800 way. 08:26.800 --> 08:27.820 Again, I'm not doing it. 08:27.820 --> 08:31.870 This is kind of industry practice all around and that's why you are going to see this code throughout 08:31.870 --> 08:33.280 your organization as well. 08:33.580 --> 08:35.950 Again, just the easy way of doing this. 08:36.100 --> 08:40.660 So what we're going to do is we are going to go ahead and simply return it to and false value to move 08:40.660 --> 08:41.800 forward and all of that. 08:41.800 --> 08:43.330 So let's go ahead and do with that. 08:43.780 --> 08:45.850 I will say simply return. 08:45.850 --> 08:46.660 There we go. 08:46.660 --> 08:51.070 Now, in the return, I will have obviously the request. 08:51.070 --> 08:55.000 And again, are we wrapping it around with the big promise? 08:55.630 --> 08:56.290 Oh, my bad. 08:56.290 --> 08:57.820 I'm no, no, it's okay. 08:57.820 --> 09:00.460 I'm writing into the user middleware, so that is fine. 09:00.460 --> 09:04.750 I don't need to wrap around with the big promise in this case, although if I do that, that would be 09:04.750 --> 09:04.990 great. 09:04.990 --> 09:09.700 Let me quickly check that previously we were having the token and so many of the issues. 09:09.700 --> 09:11.290 That is also fine, but I don't think so. 09:11.290 --> 09:13.150 In this case we need it anyways. 09:13.150 --> 09:14.230 Request response. 09:14.230 --> 09:15.430 It will face some errors. 09:15.430 --> 09:17.050 I'll come back and update that one. 09:17.470 --> 09:17.980 Okay. 09:18.430 --> 09:21.130 So what I'll do, I'll simply go ahead and check this one. 09:21.130 --> 09:28.960 So I'm going to go ahead and simply put on if condition that if there is an inside this rolls that I'm 09:28.960 --> 09:33.880 going to go ahead and say includes because this is an array now that's why I have spread it at the top 09:34.240 --> 09:40.540 and I'll I'll request that because obviously I expect that you never use this custom role all alone. 09:40.540 --> 09:45.870 I expect that you use it after is logged in because I will be extracting some information from you. 09:45.970 --> 09:47.170 Request dot user. 09:47.170 --> 09:52.180 So I'll say request dot user dot role in this case. 09:52.600 --> 09:54.340 So user has this role as well. 09:54.340 --> 09:59.980 So what I'm checking is whatever the role you are sending me from that root, whether this admin or 09:59.980 --> 10:04.630 manager does it, is included as this one. 10:04.630 --> 10:06.190 So this will give me a simple. 10:06.190 --> 10:07.930 So basically what will happen. 10:07.930 --> 10:12.220 Let me just write it quickly up here so that you understand this part because this can be a little bit 10:12.220 --> 10:12.640 tricky. 10:12.640 --> 10:14.680 I want everybody to understand this one. 10:14.770 --> 10:20.920 So what this will do, this request, dot user, dot role, you will either get a user here or you will 10:20.920 --> 10:23.230 get a simple admin here. 10:23.320 --> 10:30.910 And what this roles DOT includes will will check that whether who you are actually what you are saying. 10:30.910 --> 10:33.880 So in this case I'll pass on a manager or admin and it will work like that. 10:33.880 --> 10:36.040 So I hope you get it a little bit. 10:36.040 --> 10:36.880 I hope so. 10:37.060 --> 10:37.450 Okay. 10:37.450 --> 10:42.190 So this is the basics of it and I want to check for a negative of that because this is where I'm going 10:42.190 --> 10:44.560 to raise an exception or raise an error. 10:44.560 --> 10:48.820 So I'm going to go ahead and simply say in this case, let's go ahead and just close it up here. 10:48.820 --> 10:52.540 So we're going to go ahead and say return, wrap it around in the next. 10:52.540 --> 11:05.860 Let's raise a new custom error, custom error, and it will say that you are not allowed for this resource 11:07.990 --> 11:11.200 and we can optionally pass on an error as well. 11:11.200 --> 11:14.200 Let's go for four or three or four or two in this case. 11:14.590 --> 11:14.820 Okay. 11:14.890 --> 11:20.740 So if that is not the case, then only then you can simply go ahead and say, hey, you are all good 11:20.740 --> 11:23.200 and you can just go ahead and move on to the next. 11:23.200 --> 11:23.920 There we go. 11:24.590 --> 11:24.730 Okay. 11:24.940 --> 11:26.290 So I hope this is all clear. 11:26.290 --> 11:30.460 And by the way, in case you want to go with the classic way of checking is admin only. 11:30.460 --> 11:37.120 And if the role actually exists, if simply the request or role request or user role equal equal admin, 11:37.120 --> 11:38.710 just go ahead and simply next. 11:38.710 --> 11:40.960 Otherwise raise an error that is also fine. 11:40.960 --> 11:43.510 So let me just go ahead and write that case also for you. 11:43.510 --> 11:45.190 So in case you are looking for that. 11:45.190 --> 11:49.120 So in that case, we are going to go ahead and wrap around the big promise and we are going to check 11:49.120 --> 11:59.110 something like this will be going something like if request dot user, dot role, if that is equal to 11:59.110 --> 12:03.580 something like admin, then go ahead and fire up next and something like that. 12:03.580 --> 12:05.770 So in case you want to go that path, that is also great. 12:05.770 --> 12:09.820 But I told you this is a little bit of a pro course, so we're going to go for a little bit more of 12:09.820 --> 12:11.110 a robust approach. 12:12.040 --> 12:19.720 So the whole idea is now to send a role that is manager or an admin, and then it will check that whether 12:19.720 --> 12:21.730 you are actually the guy who you are saying. 12:21.730 --> 12:23.530 So if you are saying that I'm admin. 12:23.750 --> 12:28.940 So I should receive in the roles parameter as yes, I'm an admin because remember I'm spreading this 12:29.060 --> 12:33.920 so automatically this admin will go inside this roles array. 12:34.130 --> 12:37.760 I hope I am now able to explain this more clearly. 12:38.220 --> 12:39.410 Okay, so this is all good. 12:39.410 --> 12:43.970 Now let's go ahead and bring this custom role and let's go up here. 12:44.240 --> 12:47.590 And after the is logged in, let's go ahead and bring custom role. 12:47.600 --> 12:49.250 So now custom role is in. 12:49.250 --> 12:54.290 Now let's first go ahead and try to access this resource that this resource is only available to manager. 12:54.290 --> 12:59.770 We don't have any manager but want to check out these things that what happens inside the postman. 12:59.780 --> 13:03.350 Let's go ahead and send a request and it says error. 13:03.350 --> 13:05.240 You are not allowed for this resource. 13:05.240 --> 13:05.900 Absolutely. 13:05.900 --> 13:06.740 Fantastic. 13:06.740 --> 13:07.970 So now let's see that. 13:07.970 --> 13:09.350 What user did we updated? 13:09.350 --> 13:11.600 So we updated the three as admin. 13:11.600 --> 13:15.230 So let's go ahead and check whether three is able to access that or not. 13:15.230 --> 13:18.560 Or by the way, we can actually change the role of this to as well. 13:18.830 --> 13:20.420 Let's go ahead and change this one. 13:20.420 --> 13:23.240 So let me go ahead and make him a manager this time. 13:24.980 --> 13:27.110 So this one is manager. 13:27.650 --> 13:29.000 And let's go ahead and update. 13:29.000 --> 13:32.420 Let's see if the manager is actually able to access the data or not. 13:32.420 --> 13:37.160 So let's refresh this and let's try it one more time and send this one. 13:37.160 --> 13:38.660 And now we are accessing the data. 13:38.660 --> 13:42.320 So you see how easy it is for me to now have a role of manager. 13:42.320 --> 13:45.350 But I'm not interested in manager, I'm actually interested in admin. 13:45.350 --> 13:48.770 So let's see whether the admin is actually able to access this or not. 13:48.770 --> 13:49.910 So let's change this one that. 13:49.940 --> 13:53.360 Now your custom role to access this route should be admin. 13:53.360 --> 13:58.940 So let's go ahead and verify that and it says, hey, you are not you are not an admin, so you are 13:58.940 --> 14:00.830 not allowed to access this resource. 14:00.830 --> 14:03.140 I hope now you get the robustness of this code. 14:03.140 --> 14:08.000 Let's go ahead and change this to into not the manager but actually an admin. 14:09.610 --> 14:10.360 Admin. 14:10.360 --> 14:12.580 And let's go ahead and update this one. 14:13.780 --> 14:17.650 Hit a quick refresh and the postman and send this data. 14:17.650 --> 14:19.390 And now we are receiving all the data. 14:19.390 --> 14:23.950 So this is how you actually make anyone as a customer admin manager sales. 14:23.950 --> 14:29.830 Again, the whole idea is that whatever the controller is doing, you should be focused more on that. 14:29.830 --> 14:33.130 Right now I'm calling it as admin all user and I'm sending all data. 14:33.160 --> 14:38.620 Maybe in your case the manager is there and only value that you want to give to the manager. 14:38.620 --> 14:42.760 Or maybe a sales manager is just the name and the phone number. 14:42.760 --> 14:44.560 Maybe you're accepting phone number as well. 14:44.560 --> 14:50.650 So go ahead and just create a simple controller which gives the user only name and the phone number 14:50.650 --> 14:54.520 and just all the fields are marked as undefined so he doesn't get the data. 14:54.520 --> 14:59.980 So you can quickly craft a kind of a route for that that let's go ahead and catch up in the next video.