Build a Trello Clone With Livewire

Sign in Get started

This episode is for members only

Sign up to access "Build a Trello Clone With Livewire" right now.

Already a member? Sign in to continue

Playing

28. Reviewing authorization

Episodes

0%

Your progress

Total: 2h 27m
Played: 0m
Remaining: 2h 27m

Join or sign in to track your progress

01. Introduction

01. Introduction and demo

02. A fresh Laravel app

03. Setting up boards

02. Designing the board

04. Styling a scrollable board

05. Columns and headings

06. Fitting cards in columns

03. Sorting stuff

07. Showing columns

08. Showing cards in columns

09. Sortable Eloquent models

10. Sorting columns

11. Moving cards between columns

12. Handling moved cards

04. Managing the board

13. Creating columns

14. Editing column titles

15. Creating cards

16. Creating modals

17. Building a modal wrapper

18. Editing cards

19. Adding card notes

05. Archiving

20. Archiving cards

21. Archiving columns

22. Showing archived items

23. Restoring archived items

24. Moving archivable things to a trait

06. Dashboard

25. Showing all boards

26. Creating a new board

07. Improvements

27. Linking to boards

28. Reviewing authorization

29. Scoping orderable updates

30. Customising sortable styles

31. Autofocus when updating columns

Transcript

00:00

Really importantly, let's review some of the authorization that we are, and really importantly, are not doing. So I'm going to head straight over to the browser, open up one of these, and let's look at some of the places where we're updating stuff, archiving things, all that kind of stuff.

00:16

So we've got a column update. We've got a card update. So we can obviously update a card. We can add a card in here as well.

00:24

And we can archive each of the cards in here, too. So some of the things we've neglected to add authorization for, even though technically someone can't access our board, doesn't mean that they can't go in and modify any of the IDs that they're working with to switch over to ours. So let's start with the column stuff. So if we open up our Livewire column here, we've got the ability to update a column and we've got the ability to archive a column.

00:52

To update this, we're going to go ahead and create out a policy. So let's add in not our board policy. This is now going to be a column policy. And we'll just repeat all of the steps until everything is authorized.

01:06

OK, so we already know what we're going to do here because we've seen this before. To update a column, we're going to go ahead and authorize this action. And this will be to update a column. And we already know that we've got the column directly inside of here.

01:20

Let's go ahead and grab this and do exactly the same thing for archiving a column as well. So can we archive a column? And the benefit to this is if you wanted to assign later on certain rules, whether or not a user could archive columns, you might be having this as some sort of group board, then you'll want to, you can apply specific permissions for each of these. OK, so over in our column policy, we can just add in the methods that we need here now.

01:46

So both of these are going to be exactly the same thing. So to update a column, we'll get the user in here. The user must always be there. So that's pretty obvious.

01:56

And we'll have the column in here from our models. And we know that the condition here is that the user ID matches the column user ID. And while we're here, we can just duplicate this down and set one specifically for archiving as well. So let's go ahead and update our column here.

02:15

And that works. Let's archive this column. And sure enough, that works as well. So we can even put that back if we wanted to.

02:22

Let's do the same for some of the other things that we're doing, like editing a card. So over in our edit card modal, when we update a card, we're not authorizing this either. So we'll go ahead and create another policy specifically for our cards here. And we know, again, what to do.

02:40

We want to authorize this action to update the card that we currently have in here. And let's just take a look. We've also got the ability to archive a card. So let's change this over to archive.

02:53

And we can pretty much from here go over to our column policy, grab both of these, because they're going to be pretty much exactly the same apart from the model just being slightly different. So let's go over to our card policy. And we'll go ahead and add both of these in here.

03:08

And we'll update this to reference our card model instead. And, of course, this will now be card. And this will be card as well. So we just want to update these here.

03:20

And we're pretty much good to go. Okay, let's just double check that we can modify one of these. Hit save. And we've also got another issue here where the notes field is required, which we added in earlier.

03:33

You might have spotted this, but we don't need this. So why don't we fix that up now as well? Okay, so over in our edit card form, let's go and set this to nullable. Or we could just get rid of it.

03:45

And we should now be able to update the title. And not that. That works. We should also be able to archive a card now.

03:52

And, of course, that is getting authorized. And, yeah, we can put these back as well if we want to. So let's finish up by just adding some authorization rules to adding a column for a specific board and adding a card for a specific column.

04:06

And then, of course, you can add more or adjust these a little bit later if you want to. Or do these on your own. Okay, so what do we want to do for adding a column? Well, we could do this a couple of ways.

04:19

So we could try and add this to our column policy. But it doesn't really make sense here because we don't have the board in context of here. So really we want to do this at the very top level. So we actually want to do this at our board policy.

04:34

And we want to create a rule in here to say, well, can we add a column? So we could call this whatever we want to do. So create or add column. Create is probably more appropriate here.

04:45

Again, we're going to get exactly the same thing in here. The user in here and the board just in here. And, again, it's going to be exactly the same thing. We just want to check that the user ID who is creating the column on the board matches the board ID.

05:01

Okay, let's go ahead and update that on our board show. So when we go and create a column, we want to authorize this to make sure we can do that on the board. So authorize, create column and all the board that we are currently on. Let's go over, try and create another column.

05:21

And that's all good. Let's finish up with adding a card to a column now. So, again, we're going to do this at the root level. So we're going to come over to our column policy.

05:31

And we want to know whether we can add a card to this specific column. So create card. And, again, we get exactly the same things in here. And it's going to be exactly the same rules.

05:43

We can only create a card on a column if we own that column, which is another good reason why we added this user ID in here. It means that we don't have to go back into relationships to check this stuff. Okay. Let's go over to our column component. Go over to where we are creating a card.

06:00

And let's authorize this as the final one. So let's say create card. And, of course, pass in that column. Great. So we should now be able to create cards.

Episode summary

In this episode, we're doing a thorough check-up of our app's authorization—basically, we're making sure users can't sneakily update, archive, or add stuff they shouldn't be able to. We kick things off by looking at the current places where things like columns and cards can be updated, archived, or added, and realize we still need to lock things down in a few spots.

We start by adding policy methods for updating and archiving columns, making sure only the right users can do these actions. That means writing policy classes, plugging in some checks, and testing it out to see that, yep, the right permissions are enforced. We repeat this process for cards—creating update and archive methods in the card policy, making sure again only owners can perform these changes. Along the way, there's a quick detour to fix a bug where the notes field was required, but shouldn't be, just to keep things running smoothly.

Afterwards, we move on to adding new columns and cards. Here, we think carefully about which policy is responsible (board policy for columns, column policy for cards) and implement the same kind of ownership checks. We wire everything up, test things out in the UI, and see that authorization is working everywhere it needs to be.

So by the end of this episode, we've systematically tackled all those "who's allowed to do what?" questions, nailing down the access rules for boards, columns, and cards throughout the app. If you want to tweak or extend things later, all the patterns are now nicely in place!

Episode discussion

No comments, yet. Be the first!