1
00:00:00,390 --> 00:00:08,220
Next let's try logging in a log in as this time Potato Head password

2
00:00:10,800 --> 00:00:19,080
then we'll try and edit this one and it works and we should be able to update this just fine so we can

3
00:00:19,080 --> 00:00:19,880
try that out.

4
00:00:20,040 --> 00:00:22,620
Let's get rid of the exclamation points.

5
00:00:22,620 --> 00:00:28,840
Submit and it updates there's no punctuation at the end of grin at mine.

6
00:00:29,410 --> 00:00:34,500
OK so we'll just apply it to update.

7
00:00:34,500 --> 00:00:40,290
We don't want someone to be able to update something as well so it's not just about seeing the form

8
00:00:40,320 --> 00:00:46,450
but it's about actually doing the updating we want to protect both of those and delete it.

9
00:00:46,950 --> 00:00:54,110
Right now anyone can do it but as soon as I restart the server and I try refreshing.

10
00:00:54,720 --> 00:01:03,780
Currently I'm not logged in if I click delete takes me back here as soon as I log in and remember that's

11
00:01:03,780 --> 00:01:06,810
happening because of the redstart redirect back.

12
00:01:06,810 --> 00:01:10,210
So then will do Taito head again.

13
00:01:11,370 --> 00:01:14,730
Password log in.

14
00:01:15,030 --> 00:01:19,990
Now if I try and delete this one it works just fine.

15
00:01:20,250 --> 00:01:24,310
And now he's lost another precious campground and we're almost out of them to play with.

16
00:01:24,360 --> 00:01:30,300
So that's our middle where we have it set up correctly now we have checked campground ownership which

17
00:01:30,300 --> 00:01:36,180
checks the user logged in at all if they're not then just redirect back and eventually will have a different

18
00:01:36,180 --> 00:01:41,100
error message so it will say something like You must be logged in first and then if they are logged

19
00:01:41,100 --> 00:01:41,430
in.

20
00:01:41,550 --> 00:01:46,680
But they don't own the campground then we'll have a different message that says you don't have permission

21
00:01:46,680 --> 00:01:51,800
to do that or that's not yours to delete something like that and then the important line is the next

22
00:01:51,810 --> 00:01:52,470
right here.

23
00:01:52,470 --> 00:01:59,730
So if the campground author ID dot equals can't do Tripoli culture because we have to do Doddie course

24
00:01:59,730 --> 00:02:08,640
because the the fact that this is a string and this is an object idea mongoose object so it's not comparable

25
00:02:08,640 --> 00:02:13,160
to a string and thus to use the built in equals method that comes with monkeys.

26
00:02:13,230 --> 00:02:18,070
Then we move on to next which is whatever code we have inside of the right handler.

27
00:02:18,120 --> 00:02:20,140
So we run this if it works.

28
00:02:20,280 --> 00:02:20,880
We run this.

29
00:02:20,880 --> 00:02:21,960
Which is next.

30
00:02:22,080 --> 00:02:24,390
Or in this case we run this.

31
00:02:24,390 --> 00:02:25,270
Which is next.

32
00:02:25,350 --> 00:02:28,240
And in the case of update we run this.

33
00:02:28,860 --> 00:02:30,090
OK so we'll save.

34
00:02:30,240 --> 00:02:32,740
We have one less thing that would be nice to do.

35
00:02:33,100 --> 00:02:35,660
Which would be to hide these buttons.

36
00:02:35,880 --> 00:02:39,680
If I'm not logged in I shouldn't be able to see an edit delete button.

37
00:02:39,770 --> 00:02:44,700
Pretty much no web site out there that has this kind of authorization whatever show you that button

38
00:02:44,710 --> 00:02:44,840
.

39
00:02:44,970 --> 00:02:48,500
It's just a bad user experience if you think you can do something but you can't.

40
00:02:48,510 --> 00:02:55,380
So we want to hide it and all we need to do is go to our template so that's the show template and inside

41
00:02:55,380 --> 00:02:58,710
of here we need to find those two buttons right here.

42
00:02:58,880 --> 00:03:05,940
Then we add an if statement and I'm just going to write an empty statement to start with like correct

43
00:03:05,940 --> 00:03:07,800
brackets.

44
00:03:08,820 --> 00:03:14,610
Just like that and will indent just to make it easier to read and all we want to do is check if the

45
00:03:14,610 --> 00:03:20,220
logged in user owns the current campground on the show page and that's simple to do.

46
00:03:20,370 --> 00:03:27,900
We can just add the exact same code that we saw right here in our middleware except it needs to be slightly

47
00:03:27,900 --> 00:03:30,810
different but the same idea.

48
00:03:32,130 --> 00:03:36,740
If I paste this in we can follow that rather than found campground in the template.

49
00:03:36,750 --> 00:03:44,400
We call that campground author dot ID dot equals and we actually don't have access to request that user

50
00:03:44,640 --> 00:03:49,660
ID but remember we do have current user that we setup.

51
00:03:50,110 --> 00:03:53,940
And if you don't remember when or where we set it up I'll show you briefly.

52
00:03:54,060 --> 00:03:55,910
It's inside of our apt.

53
00:03:55,950 --> 00:03:59,660
Yes we go down to that and you take a look right here.

54
00:03:59,660 --> 00:04:00,660
Read out local stuff.

55
00:04:00,660 --> 00:04:05,310
Current User is request at user and that's added to every single template.

56
00:04:05,310 --> 00:04:11,250
Every route will have current user available in the template equal to the currently logged in user so

57
00:04:11,250 --> 00:04:12,990
current user does underscore ID.

58
00:04:13,090 --> 00:04:13,740
Let's give it a shot.

59
00:04:13,740 --> 00:04:17,920
Now make sure we add in the rest of the if statement parentheses.

60
00:04:18,180 --> 00:04:19,430
And if we refresh.

61
00:04:19,680 --> 00:04:24,990
You see that we have a problem and what happens is that we don't have a current user right now.

62
00:04:24,990 --> 00:04:31,170
So because there's no one signed in current user does underscore ID is problematic.

63
00:04:31,170 --> 00:04:34,210
So there's a simple way to check that you want to check first.

64
00:04:34,230 --> 00:04:35,460
Is there a current user.

65
00:04:35,640 --> 00:04:39,180
If there is then let's check if that user owns this.

66
00:04:39,690 --> 00:04:40,640
So to prevent the error.

67
00:04:40,650 --> 00:04:48,480
All we need to do is if current user and campground author ID equals the current user's ID remember

68
00:04:48,480 --> 00:04:49,760
that if this is false.

69
00:04:49,830 --> 00:04:53,090
So if current user is undefined if it's empty.

70
00:04:53,310 --> 00:04:59,250
If it's something that is falsie we never move on to the rest of this because the way that an AND statement

71
00:04:59,250 --> 00:05:02,070
works is that it requires both sides to be true.

72
00:05:02,160 --> 00:05:03,150
So it's short circuits.

73
00:05:03,150 --> 00:05:09,390
If this is false and we never evaluate this but if current user is anything any user object anything

74
00:05:09,390 --> 00:05:12,620
that's not falsie whether it's the right user or not.

75
00:05:12,630 --> 00:05:17,770
This will be true and then this is going to check if the user actually owns the campground.

76
00:05:18,060 --> 00:05:21,620
So if we try that again refresh.

77
00:05:21,810 --> 00:05:26,490
Right now we don't see the buttons but if I do log in as Potato Head

78
00:05:33,440 --> 00:05:38,680
to more info I do see those buttons and just double check everything still works.

79
00:05:38,790 --> 00:05:42,900
Let's call it Sunset Lake.

80
00:05:42,900 --> 00:05:45,720
Submit and everything still works just fine.

81
00:05:46,170 --> 00:05:46,560
Great.

82
00:05:46,560 --> 00:05:48,620
So let's recap some of what we did here.

83
00:05:48,630 --> 00:05:54,900
Most importantly in this last lesson we focused on authorization which is different than authentication

84
00:05:54,900 --> 00:05:55,410
.

85
00:05:55,410 --> 00:06:00,130
Authentication is just logging in checking to see if you are who you say you are.

86
00:06:00,240 --> 00:06:04,950
While authorization is different permissions or security clearances whatever you want to think of it

87
00:06:04,950 --> 00:06:09,810
as it's what a user who is logged in is able to do what they are allowed to do.

88
00:06:09,810 --> 00:06:16,810
So in our case we went from having anyone at all being able to delete and update any campground.

89
00:06:17,100 --> 00:06:23,700
But now only users who own a campground can delete an update and also the last thing we did was hide

90
00:06:23,700 --> 00:06:24,470
the buttons.

91
00:06:24,630 --> 00:06:26,180
Depending on if you're logged in or not.

92
00:06:26,400 --> 00:06:36,860
And we protected three different routes that was added it does appear update right here and delete or

93
00:06:36,870 --> 00:06:37,850
destroy.

94
00:06:37,860 --> 00:06:43,530
And that was using our check campground ownership middleware that we defined for now it's just at the

95
00:06:43,530 --> 00:06:45,390
very bottom of this file.

96
00:06:45,420 --> 00:06:45,940
Awesome.

97
00:06:46,170 --> 00:06:52,080
In the next lesson we'll focus on doing similar stuff for comments so that you can update a comment

98
00:06:52,110 --> 00:06:57,420
and delete a comment and then we'll focus on authorization again making sure that only people who own

99
00:06:57,420 --> 00:06:59,750
a comment can update it or delete it.