1
00:00:00,420 --> 00:00:01,200
Welcome back.

2
00:00:01,410 --> 00:00:07,580
In this video we're going to add in authorization to the comment routes that we just added in so edit

3
00:00:07,650 --> 00:00:13,950
update and destroy the only one to use or to be able to actually edit or update something if that user

4
00:00:14,010 --> 00:00:16,710
owns the comment just like we did for campgrounds.

5
00:00:16,980 --> 00:00:22,950
We'll achieve that with basically the same code where we have a middleware think we called ours check

6
00:00:23,490 --> 00:00:29,070
campground ownership but ours will be called check comment ownership and then we also want to make sure

7
00:00:29,070 --> 00:00:34,620
that we hide and show those buttons so that we don't show a user a delete button that they actually

8
00:00:34,620 --> 00:00:35,620
can't click.

9
00:00:35,640 --> 00:00:37,820
They don't have permission to delete that comment.

10
00:00:38,250 --> 00:00:43,500
Which is also basically the same code that we used for comments or for campgrounds.

11
00:00:43,500 --> 00:00:48,930
And then lastly and this is the only thing that's really new is that I want us to refactor our middleware

12
00:00:48,930 --> 00:00:49,200
.

13
00:00:49,380 --> 00:00:55,470
So basically just move all of our middleware out into a new file and require that file will begin by

14
00:00:55,470 --> 00:01:00,910
making sure that a user can't get to the edit route if he or she doesn't own that comment.

15
00:01:01,050 --> 00:01:04,750
So let's go to the route instead of our comments here.

16
00:01:05,120 --> 00:01:06,840
And let's go to Edit.

17
00:01:07,680 --> 00:01:10,630
We want a middleware here that will do the checking for us.

18
00:01:10,740 --> 00:01:18,990
So check comments ownership just like we did in the last video or in the last campground video where

19
00:01:18,990 --> 00:01:24,870
we did check campground ownership and if we take a look at that code going to just copy the whole thing

20
00:01:24,870 --> 00:01:25,310
over.

21
00:01:25,320 --> 00:01:35,130
It's kind of long put it at the bottom with our other middle where we'll change that name check comments

22
00:01:35,160 --> 00:01:36,360
ownership.

23
00:01:36,510 --> 00:01:41,870
The first thing we do is check is the user log in is any user logged in.

24
00:01:42,510 --> 00:01:49,920
If not just redirect them back and will show a message eventually that says please sign it or you have

25
00:01:49,920 --> 00:01:51,220
to be signed to do that.

26
00:01:51,390 --> 00:01:55,560
And that's a different error than you not being the correct owner.

27
00:01:55,560 --> 00:01:57,830
So we don't want to just say you don't have permission to do that.

28
00:01:57,840 --> 00:02:04,620
Always we want to say sign in first and then if you do sign in and you still don't own it then we'll

29
00:02:04,620 --> 00:02:05,940
send a different message.

30
00:02:05,970 --> 00:02:09,500
For now it doesn't matter because we don't have those messages.

31
00:02:10,320 --> 00:02:14,940
So if you are signed in we need to find the comment comment out fine by Friday.

32
00:02:15,060 --> 00:02:24,260
It's not request up tramstop ID request up tramstop comments Id change this to be found comment.

33
00:02:24,990 --> 00:02:27,690
If there's an error redirect back that's fine.

34
00:02:27,840 --> 00:02:31,700
Else let's change your comment to make it a little clearer.

35
00:02:31,770 --> 00:02:33,020
And I keep saying comment.

36
00:02:33,270 --> 00:02:38,460
I mean change the javascript comment not the actual comment model.

37
00:02:38,490 --> 00:02:47,840
Then we need to check if the found comment author that ID equals request that user ID.

38
00:02:47,850 --> 00:02:51,530
So let's take a look again at the model for comment.

39
00:02:51,570 --> 00:02:59,160
Remember we have an author and that author has an ID and it's a mongoose I.D. So we can't do triple

40
00:02:59,160 --> 00:03:00,970
equals just like with campground.

41
00:03:01,140 --> 00:03:07,170
So if found comment out author ID dot equals that special method we're comparing it to the logged in

42
00:03:07,180 --> 00:03:12,560
user's ID which is stored inside request that user thanks to passport.

43
00:03:12,630 --> 00:03:18,960
So if that's the case everything is good which means we can move on and run the route handler next.

44
00:03:19,290 --> 00:03:27,060
Otherwise redirect back and again the reason I separated all of this out even though it's redstart redirect

45
00:03:27,060 --> 00:03:32,940
back three different times so that we can specify a different error message once we get to that in just

46
00:03:32,940 --> 00:03:34,690
a few videos from now.

47
00:03:34,710 --> 00:03:37,350
So let's now make sure everything else is good.

48
00:03:37,350 --> 00:03:38,400
Check common ownership.

49
00:03:38,400 --> 00:03:40,530
We have that up here.

50
00:03:40,690 --> 00:03:41,920
We need to go to Edit route.

51
00:03:41,940 --> 00:03:44,770
We added that in check comment ownership.

52
00:03:44,770 --> 00:03:49,290
Great let's give it a shot and see what happens.

53
00:03:51,150 --> 00:03:52,470
Good.

54
00:03:53,070 --> 00:03:55,400
So everyone should be able to get here.

55
00:03:55,500 --> 00:04:00,210
I'm not logged in right now so if I click it it takes me back here.

56
00:04:00,210 --> 00:04:01,470
Perfect.

57
00:04:01,470 --> 00:04:13,890
Now if I do log in as Sirius Black who created that comment and I try that again at it it now works

58
00:04:13,890 --> 00:04:15,410
.

59
00:04:15,630 --> 00:04:18,220
Let's just add some expert stuff in here.

60
00:04:18,690 --> 00:04:21,820
Now that's not protected because that's the update route.

61
00:04:21,870 --> 00:04:26,970
So we actually just do the exact same thing which is why it's so nice that we moved it into a separate

62
00:04:26,970 --> 00:04:33,510
function because we could just have all of that code right here and then duplicated it back for update

63
00:04:33,540 --> 00:04:34,270
as well.

64
00:04:34,380 --> 00:04:36,560
Right here.

65
00:04:37,410 --> 00:04:38,720
And for destroy.

66
00:04:38,730 --> 00:04:41,590
But let's just leave it at that for now.

67
00:04:41,700 --> 00:04:44,790
Make sure that it works.

68
00:04:44,790 --> 00:04:53,580
So theoretically I could somehow end up sending an update request from postman or something like that

69
00:04:53,970 --> 00:04:55,940
from some other app.

70
00:04:55,980 --> 00:05:00,300
However you know a user would do that which is would be very rare but theoretically someone could do

71
00:05:00,300 --> 00:05:00,980
that.

72
00:05:01,530 --> 00:05:07,920
And without adding the check comment ownership to update it wouldn't be protected.

73
00:05:08,520 --> 00:05:12,260
But we won't notice anything different here if I try at it.

74
00:05:12,330 --> 00:05:18,400
Same problem if I log back in and you can just skip through this if you don't really care to see it

75
00:05:18,410 --> 00:05:18,840
.

76
00:05:20,460 --> 00:05:30,020
Not the most exciting part of this course watching me log in now if I edit update works fine.

77
00:05:30,060 --> 00:05:36,210
And if I had signed out at that point or if my data was wrong or something weird happened it would then

78
00:05:36,840 --> 00:05:40,610
redirect me back and eventually show a message.

79
00:05:40,870 --> 00:05:44,350
OK so that's update now if I do click on delete.

80
00:05:44,400 --> 00:05:45,570
When I'm not signed in

81
00:05:50,670 --> 00:05:56,330
I can delete that comment which is obviously not what we want to happen so let's fix that.

82
00:05:56,740 --> 00:05:59,080
Let's go to a page that does have comments.

83
00:05:59,150 --> 00:06:01,100
This one doesn't have one.

84
00:06:01,150 --> 00:06:08,400
Let me add a comment in once again not the most exciting.

85
00:06:08,410 --> 00:06:11,880
Oh and I typed a comment at the password incorrectly.

86
00:06:12,600 --> 00:06:13,720
Oh dear.

87
00:06:14,010 --> 00:06:16,130
Let's try that one more time.

88
00:06:16,980 --> 00:06:17,790
OK.

89
00:06:18,060 --> 00:06:19,610
Let's go to Rocky Mountain high.

90
00:06:19,740 --> 00:06:23,150
Add a comment in to me.

91
00:06:23,800 --> 00:06:24,530
OK.

92
00:06:25,260 --> 00:06:29,960
So I don't want a user to be able to delete this unless they're logged in.

93
00:06:29,960 --> 00:06:31,950
It's exactly the same.

94
00:06:31,950 --> 00:06:33,470
Super easy for us.

95
00:06:33,720 --> 00:06:38,410
Just find the destroy route add or middle Waren and that's all we need.

96
00:06:39,060 --> 00:06:44,160
So if we try it I just showed you that currently before we made that change.

97
00:06:44,160 --> 00:06:45,360
Anyone can delete.

98
00:06:45,570 --> 00:06:52,030
Now if I refresh I'm not logged in I clicked delete and it's still there.

99
00:06:52,410 --> 00:06:54,350
Refuses to delete.

100
00:06:54,360 --> 00:07:00,040
Great last big step is showing and hiding these buttons appropriately.

101
00:07:00,090 --> 00:07:03,410
So let me sign in or sign up as someone else.

102
00:07:03,690 --> 00:07:08,600
Let's sign up as Dumble door to door.

103
00:07:08,760 --> 00:07:11,520
Password is also password.

104
00:07:11,520 --> 00:07:16,080
Sign up.

105
00:07:16,110 --> 00:07:22,250
Let's added comments in as well.

106
00:07:22,590 --> 00:07:24,910
Now two different comments two different authors.

107
00:07:25,020 --> 00:07:29,570
If I'm signed in this double door I only want to see the delete buttons here.

108
00:07:29,580 --> 00:07:32,680
These should be hidden for me so to do that.

109
00:07:32,730 --> 00:07:37,520
Take a look at how he did it on the show page for campground delete and edit buttons.

110
00:07:37,560 --> 00:07:39,550
Which is right here.

111
00:07:39,600 --> 00:07:49,050
This single line IF current user and campground author data equals current user ID then we show this

112
00:07:49,800 --> 00:07:54,600
very very similar except for a few changes.

113
00:07:54,690 --> 00:07:59,680
First of which is it's not campgrounds at author dot.

114
00:08:00,630 --> 00:08:05,060
It's comments author and that's defined here in our foreach.

115
00:08:05,070 --> 00:08:13,410
So whatever this is in our case for each campground comments array call it comments display the author

116
00:08:13,520 --> 00:08:17,340
display the text and then check if there is a current user.

117
00:08:17,430 --> 00:08:22,950
And if that current user's ID is here which is stored.

118
00:08:22,950 --> 00:08:26,490
There's a lot of moving pieces here but I will review this briefly.

119
00:08:26,490 --> 00:08:36,260
This is coming from that one line that we added to Abdoulaye us up top that add in.

120
00:08:36,270 --> 00:08:39,240
Where are you right here.

121
00:08:39,240 --> 00:08:43,570
Current User to every single one of our templates.

122
00:08:43,680 --> 00:08:47,740
Current User equals request user and request users coming from passport.

123
00:08:47,760 --> 00:08:50,250
It has the user information so current user.

124
00:08:50,550 --> 00:08:56,220
If there is one we have to do that check if there is one because if we don't have this first part and

125
00:08:56,220 --> 00:09:02,700
all we have is this if there is no current user it will give us an error saying current user is undefined

126
00:09:02,720 --> 00:09:03,150
.

127
00:09:03,540 --> 00:09:06,420
OK so common that authored that ID.

128
00:09:06,420 --> 00:09:15,570
The last thing we need is to add in our closing bracket or a curly brace for the if statement.

129
00:09:15,990 --> 00:09:17,120
No equal sign.

130
00:09:17,490 --> 00:09:19,860
So this is all enclosed in that if statement.

131
00:09:20,190 --> 00:09:23,180
Let's give it a shot to start.

132
00:09:23,180 --> 00:09:28,540
If I were fresh it will log me out and we expect to see no buttons.

133
00:09:28,770 --> 00:09:37,410
Perfect seinen will do double door.

134
00:09:38,920 --> 00:09:42,410
Go back to Rocky Mountain High and we only see those buttons.

135
00:09:42,420 --> 00:09:43,110
Perfect.

136
00:09:43,230 --> 00:09:45,320
Make sure this still works.

137
00:09:46,160 --> 00:09:50,690
Looks good but still it also looks good.

138
00:09:50,700 --> 00:09:52,710
Now let's sign in as Sirius Black

139
00:09:52,710 --> 00:10:00,960
.

140
00:10:00,960 --> 00:10:04,440
Now we expect to see the buttons and we do.

141
00:10:04,530 --> 00:10:07,230
Perfect and I can also delete this now.

142
00:10:07,460 --> 00:10:09,750
Let's delete it.

143
00:10:09,960 --> 00:10:12,270
I want to leave that campground because campgrounds are precious.

144
00:10:12,270 --> 00:10:15,330
We need this takes a while to add a new one back in