2.4 Protecting the Admin Portal
We want to provide security for our app right from the beginning. So let's write some middleware to ensure only admins, authors, and editors have access to our admin portal.
1.Introduction1 lesson, 01:23
2.Getting Started4 lessons, 45:12
3.Managing Pages6 lessons, 1:12:31
4.User Management2 lessons, 27:40
5.Managing the Blog3 lessons, 42:25
6.Adding Extras2 lessons, 25:48
7.Implementing the Front-End3 lessons, 32:10
8.Homework Review1 lesson, 07:11
9.Conclusion1 lesson, 01:24
2.4 Protecting the Admin Portal
We are pretty much done with our database at least as far as designed is concerned. So, now we can turn our attention to actually implementing our application. That's the whole point as to why we're here. But before we get into the nitty gritty, let's work some code that we can use to protect the Back-End. Or the admin portion of our application. Because we don't want just anybody to have access to the functions for managing our pages and our users. Those should be set aside for really only the people that are in the roles that we defined, the admin, editor, or author. So we are going to write what's called middleware that is going to do that for us. We can use it within our controllers or whenever we define our routes. We can say that we want to use this Middleware with this controller or this route, and that will protect our Back-End. So if you're not familiar with the term Middleware, it's really nothing more than a piece of software that executes within a request. So we have a pipeline of Middleware. And whenever our application receives a request, that request is going to be passed through all the different pieces of Middleware. So each piece of Middleware is going to execute. It might do something with the request or it might not. For example, here's one called RedirectIfAuthenticated And you can see that it has a method called handle. This is handling the request. It is the receiving the request itself and then it also has the next piece of Middleware. So the job of Middleware is to process whatever it needs to process and if it needs to pass on to the next piece of Middleware, then it does that. So, here's what this piece of Middleware does, it checks to see if the user is logged in and if they are it redirects them to home. Otherwise, the user is not logged in, so it just passes on to the next piece of Middleware. So this isn't something that would be executed on every request but it would be used in certain circumstances. If we look at the encrypt cookies, well there's not a whole lot of code here. Let's see if there's anything else, and I don't think we're going to find anything with a handle method. But that's the general idea. So we're going to write some Middleware that is going to check to see if a user is in one of our roles. If they are, then great they have access to whatever it is that we're protecting. Otherwise they get redirected back to the login page or something like that. So, we could just create a new file inside of this Middleware folder and then start going from there. But, we can use Artisan to give us a starting point. So lets say php artisan make, and we want to make some middleware and let's call this AccessAdmin. And that was created successfully. If we look inside of our folder we now have this AccessAdmin class. It gives us the classic, it gives us the handle method. So what we want to do in this method, is check to see if the user is first of all authenticated, but we also want to ensure that they're in specified roles. That's first of all use Auth at the top, and then we will an if statement. We will first check if the user is logged in. I mean really, we technically don't really need to because if the user is not logged in they're not going to have the admin editor or author role. But let's go ahead and check anyway. So if the user is authenticated, and if the user, and we will use the user method, and then we can use one of the methods that we wrote in the previous lesson, hasAnyRole. So if the user has any of the specified roles. So we have admin, we have editor, and let's leave off author for right now so that we can do some testing. If the user isn't either one of these roles then we want to really just allow the user in and in that case we're going to return, we're going to call the next piece of Middleware and pass in the request. Because really nothing else to do. Everything was fine, so okay, the next piece of Middleware is then going to do its thing. But if the user is not authenticated, or is not in those roles, then we want to redirect them. And so we will do that here. So we will say redirect, and we can just redirect to home. That is going to be the Home Page for logged in users at least right now, we're eventually going to change that. So if the user is logged in, but they aren't in any of these roles, then they're just going to be redirected to the Home Page. Now, since the Home Page requires a user to be logged in, if the user is not logged in, then it's going to redirect them again back to the login page. So everything is going to work just fine here. Now that we have this Middleware, we need to tell our application that hey we have this Middleware that we want you to use. So we will go to this kernel.php file, and there's a lot of Middleware defined here. There's this protected middleware. But then there's also Middleware for the route groups. So for any of the web routes this middleware is going to be used. For any of the API routes, this middleware is used. But what we want to do is come down here toe the routeMiddleware because we want to specify a name here so that we can include this with our routes or within our controllers. So we need to give this a name and you can see that these names are pretty simple. So let's keep this simple and just call it admin And then we need to specify our class. So, say App\HTTP\ Middleware\AccessAdmin class. And it go our application is now aware of this middleware. So, we can use it Whenever we define our routes, which is something that we are going to do now. And eventually, we will have some controllers as well. But let's go to the routes folder, and web.php. And we're going to say Route::get, and let's have this for the admin resource. And we are just going to have a function That returns some text. So we will 'say you are an admin or editor' because those are the roles that we are checking for right now. We will eventually change this so that any of our roles will work. And then we want to say that we want to use the Middleware here so say middleware(' admin'). There we go. So we have protected this admin resource. So now we just need to one application go to it in the browser and then test this. So let's say php artisan serve this is going to start up the development server. It is at port 8000. So I don't have a browser so let's start one up. We will go to localhost:8000. And there is our Home Page. Though we don't have the login in link, do we? Well let's go to login, and apparently I was already logged in. So, let's log out and let's log in as Admin. So we have email@example.com, the password is password, and this is the Home Page for logged in users. But we want to go to admin. So our admin is in the admin role so we see that you are. And I didn't complete the sentence did I? You are an Admin or editor. Let's refresh. That has to be correct, so there we go. So that is of course what we expected to see, so that's great. Let's go back to Home so that we log out. But let's also just go ahead and try to access Admin from here. Now this will redirect us not to log in. It redirected us to Home. Which we are not logged in, so that redirected us back to login. So, if a user is not logged in, they cannot access admin and that's what we want. But now let's login as Joe, so that's firstname.lastname@example.org, the password was password, and Joe is a user but he is an author. So if we try to go to admin we should just be redirected back to home, and that's what we see there. So unauthenticated users do not have access to admin, and only admins and editors have access to admin. But we want authors to have access as well. So we're going to add author to our Middleware. And if we try to access admin once again, then we are going to see our message. Although now we need to say that you are an admin, editor or author. We could do something a lot simpler so we wouldn't have to change this but this is going to be fine. So there we go. Now this is just the first step for user authorization. We're not done with user authorization by any stretch of the imagination. So this is a topic that we will come back to in a later lesson.