1
00:00:00,210 --> 00:00:03,550
Welcome back in this lesson we're going to see some fun new material.

2
00:00:03,600 --> 00:00:09,240
We're going to combine our user model the authentication that we've covered with campgrounds to make

3
00:00:09,240 --> 00:00:14,640
sure that a user can't delete campground that he or she didn't create or a user can't edit a campground

4
00:00:14,640 --> 00:00:15,980
that he or she didn't create.

5
00:00:16,200 --> 00:00:18,450
And this is something called authorization.

6
00:00:18,600 --> 00:00:25,830
So authentication and authorization there are different authentication refers to finding out if someone

7
00:00:25,830 --> 00:00:27,190
is who they say they are.

8
00:00:27,450 --> 00:00:30,780
Well authorization is once you know who someone is.

9
00:00:30,810 --> 00:00:33,090
You figure out what they're allowed to do.

10
00:00:33,090 --> 00:00:34,840
So think of it as permissions.

11
00:00:35,040 --> 00:00:40,500
What can someone what what is someone authorized to do with their security clearance in our application

12
00:00:40,500 --> 00:00:41,190
.

13
00:00:41,190 --> 00:00:47,220
So if you don't own a campground if you don't have the same I.D. as the campgrounds author that you

14
00:00:47,220 --> 00:00:49,710
won't be able to update or delete it.

15
00:00:49,980 --> 00:00:56,790
So let's start simple and let's work with it so that you can't give you the edit form unless you own

16
00:00:56,940 --> 00:00:58,270
the campground.

17
00:00:58,290 --> 00:01:01,970
So let's go to our campground routes right here.

18
00:01:02,400 --> 00:01:08,880
And what we want to do is if you try and go to the campground route or update and eventually delete

19
00:01:08,880 --> 00:01:13,400
as well all three of them we need to have the same logic where we just check.

20
00:01:13,560 --> 00:01:19,200
Does the current user's I.D. match the ID of the author for that campground.

21
00:01:19,440 --> 00:01:25,720
So remember this is what our data structure looks like where we pull up the campground model.

22
00:01:25,980 --> 00:01:32,790
We have author for each campground and there's an I.D. that's going to be an I.D. for a user it references

23
00:01:32,790 --> 00:01:40,230
a particular user's object I.D. and then we have a user of course that has an object I.D. It's not specified

24
00:01:40,230 --> 00:01:46,350
here but every user has an I.D. and we're going to compare the currently logged in users I.D. to the

25
00:01:46,350 --> 00:01:53,700
campground author dot ID so we can do that pretty easily if we go up into our at it.

26
00:01:53,700 --> 00:01:54,650
We'll start there.

27
00:01:54,900 --> 00:02:01,970
And the first thing we want to do is check is someone who is user logged in at all.

28
00:02:02,640 --> 00:02:07,550
And then if not we'll redirect summer.

29
00:02:08,430 --> 00:02:15,020
If a user is logged in does user own the campground.

30
00:02:15,840 --> 00:02:24,900
And if so we'll let the user run this code find my ID and delete everything.

31
00:02:24,900 --> 00:02:27,420
Otherwise we'll also redirect.

32
00:02:28,260 --> 00:02:33,020
So let's fill this in to start to see if someone's logged in.

33
00:02:33,240 --> 00:02:39,020
We can just write if requested is authenticated.

34
00:02:39,300 --> 00:02:44,140
We could also use the middle where we already defined here is logged in.

35
00:02:44,250 --> 00:02:46,670
I'll show you in a moment why we're not going to do that.

36
00:02:46,680 --> 00:02:50,100
The short answer is that we're defining our own middleware and just a little bit.

37
00:02:50,160 --> 00:02:53,670
So we're going to combine that functionality instead of this middleware.

38
00:02:53,670 --> 00:02:59,970
So if a request is authenticated if that is the case then we're good to go.

39
00:02:59,970 --> 00:03:06,040
If that's not the case let's do a constant log to start.

40
00:03:06,630 --> 00:03:14,850
You need to be logged in to do that and then we'll do a response.

41
00:03:15,120 --> 00:03:21,480
And let's just do a send to start response out send and we'll send this actually.

42
00:03:21,530 --> 00:03:26,710
So if we see that we'll know that we're not logged in and the first thing will be working.

43
00:03:26,970 --> 00:03:35,750
So let's copy this code inside the if statement and indented properly.

44
00:03:36,540 --> 00:03:37,190
OK.

45
00:03:37,380 --> 00:03:38,820
So we have to be logged in.

46
00:03:38,970 --> 00:03:41,490
Which is nothing new we've already written code to do this.

47
00:03:41,520 --> 00:03:44,900
So you might be thinking where I'm going about this in a weird way which we kind of are.

48
00:03:44,910 --> 00:03:46,460
But you'll see in just a moment why.

49
00:03:46,710 --> 00:03:48,150
Let's test it out though.

50
00:03:48,280 --> 00:03:51,110
Save start the server up.

51
00:03:51,720 --> 00:03:54,300
And when I start up I'm not logged in.

52
00:03:54,300 --> 00:03:55,360
No one is logged in.

53
00:03:55,620 --> 00:03:57,900
So if I try and go to slash at it

54
00:04:01,380 --> 00:04:03,530
it tells me you need to be logged in to do that.

55
00:04:03,690 --> 00:04:06,730
So our first part is working just fine.

56
00:04:07,050 --> 00:04:12,990
Then once we're locked down we're going to have another statement in here which is where it will check

57
00:04:12,990 --> 00:04:13,770
.

58
00:04:13,770 --> 00:04:16,610
Does the user own the campground.

59
00:04:17,700 --> 00:04:20,670
And the way that we'll do that is pretty simple.

60
00:04:20,670 --> 00:04:24,600
First thing we need to do is find the campground which we've already done right here.

61
00:04:25,050 --> 00:04:32,580
And then once we find it we need to check if the ID of the author on that campground matches current

62
00:04:32,580 --> 00:04:35,390
user which is request that user.

63
00:04:35,460 --> 00:04:37,170
Then we're good to go.

64
00:04:37,170 --> 00:04:42,900
So inside of here is where we actually do the does the user on the campground.

65
00:04:43,080 --> 00:04:47,880
We'll keep the first bit to check if there's an error if there's no error then we'll check.

66
00:04:47,880 --> 00:04:54,030
Does a user on the campground because that means found campground exists and then we'll have an if statement

67
00:04:54,650 --> 00:05:01,980
and B if campground dot author ID as you might think that we could do this.

68
00:05:01,980 --> 00:05:03,170
Equals equals equals.

69
00:05:03,450 --> 00:05:07,940
Request that user dot underscore ID.

70
00:05:07,950 --> 00:05:16,290
So let me just show you what I mean let's do a contact log campground author thought id and then below

71
00:05:16,290 --> 00:05:20,430
it will do cancel that log request that user does underscore ID.

72
00:05:20,520 --> 00:05:22,010
So a comment out the if statement.

73
00:05:22,320 --> 00:05:24,320
So we'll see those two lines.

74
00:05:25,730 --> 00:05:30,530
I will have to be logged in of course if I just try and refresh right now without being logged in we

75
00:05:30,530 --> 00:05:31,510
have an error.

76
00:05:32,240 --> 00:05:36,800
But if I do log in now has Potato Head

77
00:05:40,190 --> 00:05:46,350
log in and then I go back to granite mine slash at it.

78
00:05:46,610 --> 00:05:47,580
We have a problem.

79
00:05:47,750 --> 00:05:49,950
Looks like let's see.

80
00:05:50,300 --> 00:05:55,280
Well that was silly and trying to cancel like campground at Arthur campground doesn't exist.

81
00:05:55,310 --> 00:05:57,130
It's found campground.

82
00:05:57,350 --> 00:06:01,450
So I'll try it again restart the server.

83
00:06:02,660 --> 00:06:04,430
First time we are fresh.

84
00:06:04,730 --> 00:06:07,310
You know tell us you need to be logged in still.

85
00:06:07,310 --> 00:06:11,810
So again we log in Potato Head.

86
00:06:11,810 --> 00:06:12,860
Password.

87
00:06:13,270 --> 00:06:14,000
OK.

88
00:06:14,570 --> 00:06:15,650
Now if I try and get it

89
00:06:18,710 --> 00:06:21,050
take a look at what we see here.

90
00:06:21,110 --> 00:06:23,370
First thing that we print looks like this.

91
00:06:23,390 --> 00:06:30,530
So that is found campground Arthur ID and then we have requests that user data I.D. and they look like

92
00:06:30,590 --> 00:06:31,650
they're identical.

93
00:06:32,120 --> 00:06:34,370
And when they're printed out they are identical.

94
00:06:34,370 --> 00:06:42,140
But behind the scenes are actually not the same so requests that user id her underscore ID is a string

95
00:06:42,680 --> 00:06:47,500
found campground author dot ID is an object it's a mongoose object.

96
00:06:47,510 --> 00:06:49,380
And this is just a tricky one.

97
00:06:49,710 --> 00:06:54,080
I forget about it from time to time it's really frustrating because they look the same when you're trying

98
00:06:54,080 --> 00:06:59,440
to debug but the truth is the first one is not actually a string it's a mongoose object.

99
00:06:59,540 --> 00:07:00,530
That one we printed out.

100
00:07:00,530 --> 00:07:04,470
We see a string but that's just the two string version.

101
00:07:04,490 --> 00:07:06,460
Behind the scenes it's not a string.

102
00:07:06,740 --> 00:07:07,610
And this is a string.

103
00:07:07,610 --> 00:07:09,750
So when we compare them it won't work.

104
00:07:10,070 --> 00:07:16,190
So rather than comparing them with triple equals or double equals what we can do instead is use a method

105
00:07:16,610 --> 00:07:19,200
that mongoose gives us for this purpose.

106
00:07:19,520 --> 00:07:23,180
So what we do is write an IF statement put rather than checking campgrounds.

107
00:07:23,210 --> 00:07:26,620
Author Dodd ID triple equals request at User ID.

108
00:07:26,870 --> 00:07:31,650
We use dot equals.

109
00:07:31,650 --> 00:07:33,070
There we go.

110
00:07:33,950 --> 00:07:39,710
And now our IF statement should work except for the fact that this needs to be found campground again

111
00:07:39,810 --> 00:07:43,000
what's coming back to the database that we're finding using that ID.

112
00:07:43,040 --> 00:07:50,240
So we find that with the ID based off of the route then we check if the author ID on that particular

113
00:07:50,240 --> 00:07:54,530
found campground equals the currently logged in users ID.

114
00:07:54,560 --> 00:07:57,090
If that's the case we'll do one thing.

115
00:07:57,230 --> 00:07:58,750
Otherwise we'll do something else.

116
00:07:58,760 --> 00:08:08,420
So if that's the case we'll do this here render campground page of the edit campground page with found

117
00:08:08,420 --> 00:08:09,090
campground.

118
00:08:09,230 --> 00:08:11,320
Otherwise we'll do a rest does send.

119
00:08:11,720 --> 00:08:19,320
You do not have permission to do that of course will change this eventually or it won't just be a red

120
00:08:19,330 --> 00:08:22,520
dot cent but we'll have an actual message that displays.

121
00:08:22,520 --> 00:08:23,330
So let's try to

122
00:08:26,390 --> 00:08:33,470
go to our application go to a show page first thing if I try and edit it right now I need to be logged

123
00:08:33,470 --> 00:08:34,280
in.

124
00:08:34,550 --> 00:08:40,910
Now if I log in or I sign up as someone other than Potato Head so will do tomato head

125
00:08:43,700 --> 00:08:49,070
and I try and edit that you'll see hopefully.

126
00:08:49,100 --> 00:08:52,160
There we go I get you do not have permission to do that.

127
00:08:52,280 --> 00:08:58,010
Now if we go back and log out and sign back in as Potato Head

128
00:09:01,370 --> 00:09:05,730
and try it all again I try and edit.

129
00:09:06,020 --> 00:09:07,010
I do have permission.

130
00:09:07,040 --> 00:09:08,270
And I end up here.

131
00:09:08,270 --> 00:09:09,420
So it's working.

132
00:09:09,440 --> 00:09:10,750
Which is great.

133
00:09:10,880 --> 00:09:15,750
Now what we'll do is actually refactor this into a separate function.

134
00:09:15,800 --> 00:09:18,200
Most of this logic will call it something like.

135
00:09:18,200 --> 00:09:26,060
Check user campground or ensure campground user something where we're basically checking does the currently

136
00:09:26,060 --> 00:09:29,030
logged in user match this particular campground.

137
00:09:29,240 --> 00:09:34,050
And the reason we'll move that into middleware is that we'll use it on edit.

138
00:09:34,190 --> 00:09:35,920
We also want to use it on update.

139
00:09:35,960 --> 00:09:39,110
We don't want someone to be able to send a request if they're not logged in.

140
00:09:39,110 --> 00:09:41,890
So even though again just using the browser.

141
00:09:42,050 --> 00:09:48,110
The only way to do actually visually get to the update to send data is using this form.

142
00:09:48,350 --> 00:09:53,110
You could use postman you could send a request from postman and not be authenticated.

143
00:09:53,120 --> 00:09:57,850
So we want the same logic here and we want to do the same thing for delete.

144
00:09:57,920 --> 00:10:02,640
So we don't want you to be able to delete something a campground if you're not logged in.

145
00:10:02,690 --> 00:10:04,680
And if you don't own it.

146
00:10:04,970 --> 00:10:10,080
So what we'll do is write a middleware we'll copy this code for now.

147
00:10:10,220 --> 00:10:15,850
I'll leave it there but we're going to go down for now just with our other middleware.

148
00:10:15,920 --> 00:10:22,290
Well the final one called check campground ownership just like that.

149
00:10:22,580 --> 00:10:25,380
And then we'll paste this code and we we'll have a little work to do here.

150
00:10:25,670 --> 00:10:31,940
But the end goal is that on our edit we should be able to add our middleware here check campground ownership

151
00:10:31,940 --> 00:10:32,750
.

152
00:10:32,750 --> 00:10:35,030
We should be able to do it update.

153
00:10:35,050 --> 00:10:39,930
And also on delete but we'll start with at it and what we want to do is check.

154
00:10:39,930 --> 00:10:47,030
First you need to add in request response and next remember that so middleware is set up request response

155
00:10:47,060 --> 00:10:47,860
next.

156
00:10:47,870 --> 00:10:50,140
So if the user is currently logged in.

157
00:10:50,330 --> 00:10:55,550
Keep moving if they you're not logged in rather than doing a rest us send.

158
00:10:55,760 --> 00:10:59,860
For now we're going to do a restaurant redirect and we haven't seen this yet.

159
00:10:59,990 --> 00:11:05,140
We can do redstart redirect back and that will take the user back to where they came from the most.

160
00:11:05,150 --> 00:11:10,440
The previous page that they were on and very soon are going to show you how we can send a message.

161
00:11:10,460 --> 00:11:16,010
Well the message we want to send is something like You're not logged in or you must be allowed to do

162
00:11:16,010 --> 00:11:19,010
that but we're leaving it like that for now.

163
00:11:19,010 --> 00:11:22,310
Then if they are logged in we're going to find the campground.

164
00:11:22,610 --> 00:11:26,420
If there's an error we'll just redirect back as well.

165
00:11:26,420 --> 00:11:31,630
Again this error would happen if the campground couldn't be found for some reason or if the database

166
00:11:31,630 --> 00:11:39,440
is not connected or is some weird thing typically that we wouldn't actually see else if the campground

167
00:11:39,560 --> 00:11:41,690
matches the requests user ID.

168
00:11:41,690 --> 00:11:47,480
So if the user who's like in owns this then rather than rendering campgrounds edit because we don't

169
00:11:47,480 --> 00:11:53,530
always want this middleware to render edit what we want it to do is move on to the rest of the code

170
00:11:53,550 --> 00:11:57,010
in delete or move on to the code an update or an edit.

171
00:11:57,020 --> 00:12:00,870
So that's where we do next.

172
00:12:00,910 --> 00:12:08,510
Otherwise if they don't own it we'll do a rez redirect back.

173
00:12:08,510 --> 00:12:09,330
Great.

174
00:12:09,410 --> 00:12:16,200
So let's try this out save it and we'll go an update our edit route right here.

175
00:12:16,310 --> 00:12:23,180
We can trim this down a lot so we don't need to do any of this really except for we do want to find

176
00:12:23,180 --> 00:12:31,370
the campground and all that we'll do is if we find a campground we don't need to check if it matches

177
00:12:31,370 --> 00:12:37,220
anymore because we're doing that in the middle where so all we want to do is find a campground can get

178
00:12:37,220 --> 00:12:38,390
rid of all of this.

179
00:12:38,510 --> 00:12:39,320
Almost all Office

180
00:12:42,770 --> 00:12:48,550
format this correctly so will out a little bit.

181
00:12:48,550 --> 00:12:49,840
There we go.

182
00:12:50,690 --> 00:12:57,290
So because we added Scheck's campground ownership rate here all that we're doing now is if we get to

183
00:12:57,290 --> 00:13:02,800
this point it means that we already checked campground ownership and that we made it through.

184
00:13:03,230 --> 00:13:08,030
Otherwise if there's a problem we would have redirected that see with the error I'm getting is we have

185
00:13:08,030 --> 00:13:14,970
a small syntax error here which is I somehow deleted my function declaration here and you can see it's

186
00:13:14,990 --> 00:13:18,440
complaining that we're not handling the error which we could handle.

187
00:13:18,440 --> 00:13:24,350
But the thing is if we get to this point there shouldn't be an error with finding PI ID because we did

188
00:13:24,350 --> 00:13:25,690
it down here.

189
00:13:25,990 --> 00:13:29,370
And if it works here then we should be good to go anyway.

190
00:13:29,390 --> 00:13:33,590
So let's try it out though see if we have any issues.

191
00:13:33,620 --> 00:13:36,610
Basically we just moved our code out into a separate function.

192
00:13:37,040 --> 00:13:41,650
And remember a middleware is called Before we get to the right handler.

193
00:13:42,140 --> 00:13:42,530
OK.

194
00:13:42,560 --> 00:13:43,980
So let's give it a shot.

195
00:13:44,120 --> 00:13:49,270
First thing let's go back and let's say try and click on edit.

196
00:13:49,280 --> 00:13:51,910
I'm not logged in.

197
00:13:51,950 --> 00:13:54,170
It should redirect me back to where I was