As in my last post, I learned how to access the database and display all notes from all users, as well as how to show notes created by a single user.
Diving in code
Today, I learned how to authorize users to view and edit only their own notes.
On VS Code Side
In fresh VS Code (version 1.90 at the time of work), we have following dependencies:
authenticate the user
create separate files to show responses to user when enters id to view note
User Authentication
User authentication allows users to view only their own created notes, and if a user enters a non-existent note ID, the process is terminated using the abort function and if a user tries to access another user's note, show a screen with the heading "Unauthorized".
All of these changes are made in note.php file.
<?php
$config = require('config.php');
$db = new Database($config['database']);
$heading = 'Note';
$currentUserId = 1;
$note = $db->query('select * from notes where id = :id', [
'id' => $_GET['id']
])->fetch();
if (! $note) {
abort();
}
if ($note['user_id'] !== $currentUserId) {
abort(Response::FORBIDDEN);
}
require "views/note.view.php";
As the user enters correct id then related note is shown on page.
Response file
If a user enters a wrong user ID that belongs to another user, the response is checked and the relevant error file is executed.
<?php
class Response {
const NOT_FOUND = 404;
const FORBIDDEN = 403;
}
403 Error File
If the ID is present in the table but belongs to another user, a 403 error page is shown to the user, displaying a heading that reads: You are not authorised to view this page and a link 🖇️ that is underlined: Go back to home.
<?php require('partials/nav.php') ?>
<main>
<div class="mx-auto max-w-7xl py-6 sm:px-6 lg:px-8">
<h1 class="text-2xl font-bold">You are not authorized to view this page.</h1>
<p class="mt-4">
<a href="/" class="text-blue-500 underline">Go back home.</a>
</p>
</div>
</main>
404 Error File
When a user enters a id that is not present in database table neither related to any note then an error page is shown to that user which includes a heading that reads: page not found. and a blue text 🖇️: Go back to home.
<?php require('partials/nav.php') ?>
<main>
<div class="mx-auto max-w-7xl py-6 sm:px-6 lg:px-8">
<h1 class="text-2xl font-bold">Sorry. Page Not Found.</h1>
<p class="mt-4">
<a href="/" class="text-blue-500 underline">Go back home.</a>
</p>
</div>
</main>
I hope that you have clearly understand it.
Top comments (1)
To authorize users to view only their own created notes, follow these steps:
Identify User: Ensure each note is linked to the user who created it, typically using a user ID.
Authentication: Use a method like JWT, OAuth, or session-based authentication to verify the user's identity.
Authorization Check:
When a user requests to view a note, check if the note's userID matches the authenticated user's ID.
If they match, allow access. If not, deny access.
In code, this might look like:
python
Copy code
def get_note(note_id, user_id):
note = Note.query.get(note_id)
if note.user_id == user_id:
return note
else:
return "Unauthorized", 403
Adjust this logic to fit your specific framework and database setup. NJMCdirect