This episode is for members only

Sign up to access "Multiple Drag And Drop File Uploading and Processing with Inertia" right now.

Get started
Already a member? Sign in to continue
Playing
11. Authorizing requests

Transcript

00:00
Okay, so we're going to take a quick break from our upload functionality, but talk about something that's equally important, and that is authorizing these requests. At the moment, we have got a couple of routes here which will change around the file,
00:13
including this one as well, where anyone could just pass any ID in, and we're not authorizing these requests. You might have already done this within Laravel, so it might be pretty straightforward, but I'm going to cover this now anyway because it's so important.
00:25
So let's start with our video update controller. At the moment, we are validating here, but we are not authorizing this request. Anyone can pass a video ID in with any title and description. So to do this, what I typically do is go ahead and create out a request,
00:40
which we can just easily put into and replace our request object, which makes things a little bit neater. So we're going to go ahead and make out a request here, and we're going to call this, let's just get rid of this, video update request.
00:54
So we'll start with update, and we'll work our way through. So with this, we can just replace this request out, so video update request, and we can actually move these validation rules over now just to keep our controllers nice and tidy. So if we open up this video update request, which is in the request directory under HTTP,
01:12
we can come down here and just put these rules directly in here, and that will be validated as normal, so that will just work. It's here that we want to authorize this. So to do this, we want a policy.
01:22
So let's go and make out a policy, and of course, we're going to call this video policy, because it relates to a video, and if we open up that video policy, if you've never worked with policies before in Laravel, we can get rid of this constructor, and we can just create a couple of methods in here,
01:38
which say, well, can we update a video, can we delete a video, and then just return a Boolean to see if we can or not. So in our case, we want to create out an update method in here. The user automatically gets passed in here, but then we can pass in what we're checking.
01:54
So in this case, it's the video. So how do we know a user belongs to a video or a video belongs to a user? Well, we just check the video user ID and check it against the user ID or the other way around. That's basically how we know that we own that video.
02:10
So now over here, we can say auth user can update, and then because we're working within a form request here, and if we just save this, and we're passing a video into our controller or our root, we can just access this directly with this video,
02:30
and that will be the video that gets sent down to our video policy here and then checked. And if this returns false, we'll get a 403, and this will be unauthorized. So let's go over and just try and update one of our videos just to make sure all this is working. So let's hit save, and you can see it works.
02:47
But if, for example, I just explicitly returned false from here and we tried that again, you can see that we get a 403. So that's working nicely. Okay, let's go and just copy this method down.
02:59
We'll do the same thing for deleting. The check is the same. We just want to basically know whether we own this, and we'll just go through the whole process for the deletion of a video.
03:08
So video destroy controller. Let's go and create out a request for this. So php artisan make request video destroy request, and we can just swap this out in here.
03:23
So video destroy request, pull that in. We don't have any validation for here, but that's absolutely fine. In authorized, we can say auth user can destroy this video. So reads really nicely.
03:40
Let's just check our video policy just to make sure we call that destroy. We called it delete, but let's change this over to destroy. Okay, let's go ahead and try this out. We should now be able to delete a video or cancel and upload.
03:53
So let's go and cancel this, and there we go. Sure enough, the request worked really nicely. Okay, so we need to also protect this route as well, because again, we could choose any ID.
04:05
We're not authorizing this, so we'll just go through the same process again. Feel free to cut the video at this point if you know what you're doing. Okay, let's go ahead and create our request for this. So php artisan make request, and let's say video file store request,
04:23
and we'll change this over, video file store request. Open this up, and then of course, we can just add the authorization in here. So we can do the same thing, because even though it's a file for the video, it's the video that counts.
04:37
So over in our video policy, we could create a sort of custom one that doesn't conform to the restful verbs that we usually use. So let's say store file, and I think that's okay. So in here, we're just going to say auth user can store file for this video,
05:01
and that should be good. So now, when we upload a file, each of them things where we can potentially be passing them IDs in are being authorized, and we are protecting this against someone else trying to modify things that we own.
17 episodes1 hr 56 mins

Overview

Build a multiple file chunked uploader in Inertia with the ability to pause, resume and cancel uploads. We’ll also be able to edit metadata (like the title and description) for each upload — even while they’re uploading and processing.

In the second half of the course, we’ll learn how to queue and process uploaded files on the backend (like encoding videos), and in realtime, report back to the client with progress updates using WebSockets.

It’s everything you need to know to upload and process large files in Inertia.

Alex Garrett-Smith
Alex Garrett-Smith
Hey, I'm the founder of Codecourse!

Episode discussion

No comments, yet. Be the first!