🤑 Join the Treehouse affiliate program and earn 25% recurring commission!

New No-Code Track! 🚀start learning today!

🌟 Dreaming of a bright future? 🎓 Ask about the Treehouse Scholarship program! 🚀

✨ Earn college credits in Cybersecurity, JS, HTML, CSS and Python

Well done!

You have completed Introduction to User Authentication in PHP!

Sign up for Treehouse Back to Library

Preview

Sign up for Treehouse Continue

Video Player

00:00

00:00

00:00

2x 2x
1.75x 1.75x
1.5x 1.5x
1.25x 1.25x
1.1x 1.1x
1x 1x
0.75x 0.75x
0.5x 0.5x

None
English (loading)

Use Up/Down Arrow keys to increase or decrease volume.

Creating Helper Functions

5:35 with Alena Holligan

To make the authorization checks easier throughout our system, we should create a few helper functions called Guards. These will block requests that are not authorized.

Teacher's Notes
Questions?
Video Transcript
Downloads
Workspaces

We've created a handful of helper functions that allow us 0:00

to reuse code making our applications easier to maintain. 0:04

For the authorization system of our application we're going to rely heavily on 0:08

these helper functions. 0:13

When dealing with authorization helper functions they're sometimes referred to as 0:14

guards. 0:19

A guard is a tool that allows us to protect certain sections of 0:20

our application. 0:25

We're going to be creating guards to check the request and 0:27

only allow administrators to view a page. 0:30

This guard will make sure that a user is logged in and 0:33

that a logged in user is an administrator. 0:37

Finally, we'll create a guard to make sure that the logged-in user is the owner 0:40

of a book or a vote that they are trying to edit. 0:45

If you remember, from the last stage, 0:48

we built a function to check if a request requires authentication. 0:50

This function also used the isAuthenticated function. 0:55

Yes, both of these functions are guards as well. 1:00

We're going to build two more guards for admin. 1:04

This time, not only will we check that the user is logged in, 1:08

we also need to check for an admin role. 1:13

Let's start with the function to check if the user is an admin or not. 1:16

We'll name this, function isAdmin. 1:22

We'll start by checking if the user is authenticated, if not isAuthenticated. 1:30

Then we're going to return false. 1:42

If they're not logged in, they're not an admin. 1:46

If the user is authenticated we now need to check if they have an admin role. 1:49

Their role id should equal 1. 1:56

Like we did for our get authenticated user. 1:59

We can use a session. 2:05

We start with the global, session and 2:08

the we can return, session, get. 2:14

Auth_roles. 2:22

And we'll see if this equals 1. 2:26

This return should give us true or false, 2:30

depending upon whether our auth_roles equals 1 or not. 2:33

Now we can create the guard that requires the user to be an administrator or 2:39

gives an error and redirects the user. 2:44

We'll create a new function and we'll name this requireAdmin. 2:49

We can use the isAdmin function to tell us if the user is an admin. 2:57

if not isAdmin, 3:02

Then we're going to use the global 3:09

$session, and we're going to 3:14

set $session->getFlashBag()->add('error', 3:18

'Not Authorized'). 3:26

And then we'll redirect to login.php. 3:30

Now on any page where we require administrative privileges we can simply 3:41

add requireAdmin to the top of the page, and it will handle everything for us. 3:46

There's one more guard that we want to add. 3:52

We want to set up a function to check if the user who is 3:55

logged in is the owner of a book or a vote. 4:00

This function will accept a single property the id we're trying to match, 4:04

and then it will get the current logged in user for comparison. 4:10

So we'll add a function, and we'll name it isOwner. 4:15

We'll accept the ownerId, And 4:22

then we'll start by checking if Not 4:30

isAuthenticated, And we'll return false. 4:35

If they're not logged in, they can't be the owner. 4:47

Then we can use global session. 4:52

And we're going to return a comparison of 4:58

ownerId, compared with session, 5:04

get, auth_user_id. 5:09

Now with this function, we can get the owner of the book, or 5:18

a vote from the database, and pass it to this function, 5:22

which will make sure that the authenticated user is the actual owner. 5:26

Now that our guards are set up, 5:30

we're ready to start using them in our application. 5:32