Sign up to access "Learn Livewire" right now.

that would be pretty silly, we need to treat things like this as user input. Remember, this stuff is on the client side. Anyone can modify this book ID and have it sent down to our application. And at the moment, what we're not doing is authorizing the deletion of a book.

We're not checking that it belongs to that user. So technically, I'm not going to demonstrate this. We could come over and change around this value in here, 29, and delete someone else's book, which is not a good idea.

So always treat stuff like this, like deleting, updating, as user input. We don't need to do that for updating because the model will automatically be protected. But when we're specifically grabbing an ID, looking something up, and performing some sort of action on it,

we do need to treat it like that. So we're going to go ahead and introduce some authorization here and see how easy this is with Livewire. Okay, so to do this, we're going to go and make out a policy.

And that's going to be our book policy. And this is just going to govern the rules around books and who can do what. So if you've not worked with policies in Laravel before, basically, we can get rid of this constructor.

And we can provide out a list of methods here that map to different actions that we can perform on books. So for example, delete. We want to return a true or a false value from this method,

whether the current user is allowed to delete the book that you are giving this method. So the user is implicit. It's already passed in here. We get that in there.

We don't need to pass that in ourselves. And we'll also pass a book in here. So let's think about how do we know a user owns a book. Well, in this case, we just want to make sure the user ID equals the book's user ID.

That's basically how we know a user owns a book. So can a user delete a book if their IDs match? Then yes, they can. So we need to register this policy.

We do that over in the auth service provider over in app and providers. And we can register this just here. So we're going to go ahead and set the book class. That's our model to the book policy.

That's the policy that we've just created. And we're done. So we can now just start to use this policy to authorize this action. So we do this directly within delete book.

Now, to authorize this, we do this. This, authorize. And that's a method on LiveWire's component class. So this isn't anything to do with the standard Laravel stuff.

It's like a proxy for the authorize method. And in here, we give the action. And then we give the book. Now, we don't have the book because we need to look it up first.

So we can do this first. Look the book up. There's nothing wrong with looking a book up by its ID in terms of security. But then before we delete this, we authorize this.

So remember, I said that the user is implicit. When we call this authorize method, the user will automatically be passed through and the book we are passing in just here. So that will authorize whether we're allowed to delete this or not.

Let's try this out. And we're going to try this out with another user as well. So I'm going to go ahead and delete this book. Sure enough, it works.

So I am authorized to delete this. Obviously, because I own these books. They are in my account. And we're only grabbing the books that I have.

So let's go over to our database. And let's change around one of these books for another user. So we don't have any other users. Let's duplicate this down.

And we'll switch this to Mabel. So we'll save that out. Mabel has an ID of 2. So I'm going to take this another book and switch that over to her.

So we shouldn't see that now in there. Because obviously, we're listing a list of books just from us. But I can modify this. So over to the database, let's grab the ID of this book.

It's 27. And this book, if we hit inspect element on this, is 26. I can switch this over to 27. And then when I click on this, this action is unauthorized.

So what I've done is modified this on the front end to try and delete a book that doesn't belong to me. But because we now have that authorize action in there, it means that we're just seeing an error now.

And really importantly, that has not been deleted from the database. So this is the very basics of authorization in Livewire. There are a couple of more advanced things we could do. But most of the time, you'll just be calling authorize.

Whether you use a policy or specifically use a gate, it doesn't really matter. But this tends to be how we authorize things. So important to remember, whenever we're doing anything like this, where we can specifically modify the ID on the client side, we always authorize an action before we do something.