2.4 Protecting the Admin Portal
We want to provide security for our app right from the beginning. So let's write some middleware to ensure only admins, authors, and editors have access to our admin portal.
1.Introduction1 lesson, 01:23
2.Getting Started4 lessons, 46:41
3.Managing Pages6 lessons, 1:12:31
4.User Management2 lessons, 27:37
5.Managing the Blog4 lessons, 41:51
6.Adding Extras2 lessons, 26:07
7.Implementing the Front-End3 lessons, 30:24
8.Homework Review1 lesson, 07:11
9.Conclusion1 lesson, 01:24
2.4 Protecting the Admin Portal
We are pretty much done with our database so at least as far as design is concerned. So now we can turn our attention to actually implementing our application, that's the whole point as to why we're here. But before we get into the nitty gritty, let's write some code that we can use to protect the back end, or the admin portion of our application. Because we don't want just anybody to have access to the functions for managing our pages and our users. Those should be set aside for really only the people that are in the roles that we defined, the admin, editor, or author. So we are going to write what's called middleware, that is going to do that for us. We can use it within our controllers, or whenever we define our routes, we can say that we want to use this middleware with this controller or this route, and that will protect our back end. So if you're not familiar with the term middleware, it's really nothing more than a piece of software that executes within a request, so we have a pipeline of middleware. And whenever our application receives a request, that request is going to be passed through all the different pieces of middleware. So each piece of middleware, is going to execute and might do something with the request, or it might not. For example, here's one called RedirectifAuthenticated, and you can see that it has a method called handle, this is handling the request. It is receiving the request itself, and it also has the next piece of middleware. So the job of middleware, is to process whatever it needs to process, and if it needs to pass on to the next piece of middleware, then it does that. So here's what this piece of middleware does, it checks to see if the user is logged in, and if they are, it redirects them to home. Otherwise, the user is not logged in, so it just passes on to the next piece of middleware. So this isn't something that would be executed on every request, but it would be used in certain circumstances. If we look at the encrypt cookies, well, there's not a whole lot of code here. Let's see if there's anything else and I don't think we are going to find anything with a handle method. But that's the general idea, so we're going to write some middleware that is going to check to see if a user is in one of our roles. If they are then great, they have access to whatever it is that we are protecting. Otherwise they get redirected back to the login page, or something like that. So we could just create a new file inside of this middleware folder, and then start going from there. But we can use artisan to give us a starting point. So let's say php artisan make:, and we want to make some middleware, and let's call this AccessAdmin. And that was created successfully, if we look inside of our folder, we now have this AccessAdmin class. It gives us the class it gives us the handle method, so what we want to do in this method, is check to see if the user is first of all authenticated, but we also want to ensure that they are in our specified roles. Let's first of all use Auth at the top and then we will have an if statement, we will first check if the user is logged in. I mean, really, we technically don't really need to because if the user is not logged in, they are not going to have the admin editor or author role, but let's go ahead and check anyway. So if the user is authenticated, and if the user, and we will use the user method. And then we can use one of the methods that we wrote in the previous lesson hasAnyRole. So if the user has any of the specified roles, so we have (['admin', we have 'editor'])) and let's leave off author for right now so that we can do some testing. If the user is in either one of these roles, then we want to really just allow the user in. And in that case, we're going to return, we're going to call the $next piece of middleware and pass in the ($request); because there's really nothing else to do. Everything was fine so okay, the next piece of middleware is then going to do its thing. But if the user is not authenticated or is not in those roles, then we want to redirect them, and so we will do that here. So we'll say redirect, and we can just redirect to ('home');. That is going to be the homepage for logged in users at least right now, we are eventually going to change that. So if the user is logged in, but they aren't in any of these roles, then they're just going to be redirected to the homepage. Now since the homepage requires a user to be logged in, if the user is not logged in, then it's going to redirect them again, back to the login page. So, everything is going to work just fine here. Now that we have this middleware, we need to tell our application that hey, we have this middleware that we want you to use. So we will go to this kernel.php file, and there's a lot of middleware defined here. There's this protected middleware, but then there's also middleware for the route groups. So for any of the web routes, this middleware is going to be used for any of the API routes, this middleware is used. But what we want to do is come down here to the $routeMiddleware, because we want to specify a name here so that we can include this with our routes, or within our controllers. So we need to give this a name, and you can see that these names are pretty simple, so let's keep this simple and just call it admin, and then we need to specify our class. So we say App\Http\Middleware,and then our AccessAdmin::class, and there we go, our application is now aware of this middleware. So we can use it whenever we define our routes, which is something that we're going to do now, and eventually we will have some controllers as well. But let's go to the routes folder and web.php, and we're going to say Route::get, let's have this for the ('/admin') resource, and we're just going to have a function that returns some text. So we will say you are an admin, or editor, because those are the roles that we are checking for right now. We will eventually change this so that any of our roles will work, and then we want to say that we want to use the middleware here so we will say middleware not auth ('admin');. There we go, so we have protected this admin resource, so now we just need to run our application, go to it in the browser, and then test this. So let's say php artisan serve, this is going to start up the development server, it is at Port 8000, so I don't have a browser. So let's start one up, we will go to localhost port :8000, and there is our homepage. Though we don't have the login link, do we? Well let's go to login, and apparently I was already logged in, so let's log out, and let's log in as admin. So we have email@example.com, the password is password. And this is the homepage for logged in users but we want to go to admin. So our admin is in the admin roles, so we see that you are an well, I didn't complete that sentence did I? You are an admin, or editor, let's refresh that has to be correct, so there we go. So that is of course what we expected to see, so that's great. Let's go back to home so that we can log out, but let's also just go ahead and try to access admin from here. Now this will redirect us, not to login, it redirected us to home, which we are not logged in, so that redirected us back to login. So, if a user is not logged in, they cannot access admin and that's what we want. But now let's log in as Joe, so that's firstname.lastname@example.org, the password was password, and Joe is a user, but he is an author. So if we try to go to admin, we should just be redirected back to home, and that's what we see there. So unauthenticated users do not have access to admin, and only admins and editors have access to admin. But we want authors, to have access as well, so we're going to add author to our middleware. And if we try to access admin once again, then we are going to see our message. Although now we need to say that you are an admin, editor, or author. We could do something a lot simpler so that we wouldn't have to change this but, this is going to be fine so, there we go. Now this is just the first step for user authorization, we are not done with user authorization by any stretch of the imagination. So this is a topic that we will come back to in a later lesson.