hey what's up guys welcome back to our blog and welcome to this blog so this is part 16 of our laravel for beginners tutorial series and in the previous blog we have worked with user authentication and we have laid the modal relationships and in this blog we're going to discuss about how to actually implement the user access control so basically we're just going to add a feature that will just enable us to control which pages will our user be able to access so in here let's try to see we have here in our project or home page of our project and as you can see we can always access the post create so if you go to post and then great so we can already create a post even if we have or we are not logged in right so apparently we're not login with our account and we can create certain post but we don't want that the user should login first before they can create a post so also you can see that if we go to blood and then click the post we can see the buttons and edit and delete even if you are not logged in as a user so again we don't want that we want the user to login first before they can modify you can delete and create a post so in order for us to do that let's go back to our code editor and try to modify our project if we go to the controller of our homepage so app and then HTTP controllers and then home controller we can see here we're adding the middle we're both in this construct method so we're just going to copy this for our other con controllers so copy and then we're going to do the same thing for our post controller so that's post and then we're just going to paste the construct method or function coming from the home controller class again we're doing this just to control the access of the non log end users so if you try to go back to our browser so if you try to go to slash a post and then create so we won't be able to create a post right now and it booted us out from the create forum or create post form so it says that we need to log in but there's a problem with this because if you try to go to our blog so it says that we need to login just to view the blogs right so we don't want that and we just want to limit the access when we try to create a post so let's try to accept the other pages for that so in here we need to pass in an array so this will be an array of pages that will be accepted so accept and then the array or the actual array of pages so it's going to be the index and of course the show page sort of say that and go to our browser so we should be able to view the blog so this are the post and we can you just we can't access the create for now right because we're not login oh should be post and then great so try to log in by using our account so log in there you go we can access deep great post and now let's just solve the problem with the individual post if you try to go to a single post you can see even if we get lag out from this page love and then post we can see the edit and delete buttons and we don't want that we just want to see the post without these buttons edit and delete so in order for us to do that let's go to the post so that's where is it resources and then views and post and then show so where's let's go to this part right here when displaying the edit and delete button so I think we're just going to add a certain if statement here so oath and then not guess and then let's just say and if here so basically we're just limiting the access to these buttons and it should be gone there for now so if you are not logged in and you go to a single post you can not edit and delete the post but if we try to lag in by using our account so basically we should be able to have the yeah edit and delete button so log out and go back to that particular post no edit and delete button but also we need to change something here because we need to only show those edit and delete buttons if you are the owner of that particular post so let's go back to the show that later and in here we need to add another if so that will be if and then o'the user so basically we're just going to check if the currently logged in user is the owner of this particular post so that will be post and then the user ID so remember we are we added that particular attribute user ID by using the migration so and we're going to end the if statement here so there you go so you won't be able to access the edit and delete button even if you are logged in if you're not the owner of that particular post so so for example this one so we're not the owner or the currently login user is not the owner of this particular post so but this one is the one posted this particular post so he should be able to edit and delete this post but we need to solve another problem here so as you can see we can edit this particular post but if we try to have like five here this is a post from another user so right so we don't need or we don't want this actual user or this particular user to be editing other post or other users post so what we need is to go to our post controller and in our edit in our ad function we need to have a some sort of check in here so below this one we need to check if the user or authenticated user meaning the login user ID is not equal to the post user ID so again we're just checking a this particular login the user is the owner or not the owner of the post so if is not the owner of the post so it should return read the wreck and then we need to pass in the post it should redirect to the post page and then with an error message so error and then it should say an authorized an authorized page okay so save that and let's go back to our browser and try to go to blog and then first post so the ID is 6 and then edit so if you try to have or put 5 in here so it should say or it should redirect into the post page but I think we don't have the error message here so let's try to add that in our layout so that will be from the layout and then app that laid that PHP we have to include the error messages or messages here in our page so it should be here so in here let's just add the messages layout so include and then i NC folder and then messages so it will refer to the I NC and then messages that made that pay HP so save this and let's go back to the browser and host indeed and 5 so it should say an authorised page because we're not authorized to access this post or this particular post and we cannot edit this because this is not the post or this is not a post of this team so user so I think we need to do the same with the delete button also so let's go to the post controller and then we also have the destroy here so I think we're just going to copy the illogic that we have used in our edit function and paste it here in our destroy function so after that so post so if all user ID is not equal to the post user ID so it should redirect to the post page and with an error message of delete so I think that's all there is to it for this tutorial and in this case we have limited the users capability when it comes to the posts that do not belong to them so see you in the next blog thanks
Post a Comment