Ready to get started?
Join Adocasts Plus for $8.00/mo, or sign into your account to get access to all of our lessons.
Applying Our Server-Side Authorization Checks
In this lesson, we'll use our access controls to add authorization checks to our controllers where needed. This will help ensure members can't update, delete, or invite users.
- Author
- Tom Gobich
- Published
- Jan 31
- Duration
- 13m 0s
Developer, dog lover, and burrito eater. Currently teaching AdonisJS, a fully featured NodeJS framework, and running Adocasts where I post new lessons weekly. Professionally, I work with JavaScript, .Net C#, and SQL Server.
Adocasts
Burlington, KY
Get the Code
Download or explore the source code for this lesson on GitHub
Ready to get started?
Join Adocasts Plus for $8.00/mo, or sign into your account to get access to all of our lessons.
-
Getting Started
-
1.0What Is InertiaJS?Lesson 1.01m 57s
-
1.1What We'll Be BuildingLesson 1.16m 18s
-
1.2Creating Our AdonisJS App With InertiaJSLesson 1.211m 26s
-
1.3Server-Side Rendering (SSR) vs Client-Side Rendering (CSR)Lesson 1.36m 6s
-
1.4Setting Up TailwindCSS, Shadcn-Vue, and Automatic Component ImportsLesson 1.419m 9s
-
-
The Basics
-
2.0The Flow of Pages and Page PropsLesson 2.06m 55s
-
2.1Sharing Data from AdonisJS to Vue via InertiaLesson 2.17m 37s
-
2.2Linking Between Pages & Page State FlowLesson 2.25m 58s
-
2.3The Link Component and Programmatic LinkingLesson 2.38m 32s
-
2.4Global Components and Hydration Mismatch in ActionLesson 2.45m 0s
-
2.5Partial and Lazy Data Loading and EvaluationLesson 2.59m 11s
-
2.6Creating A LayoutLesson 2.66m 55s
-
2.7Default Layouts & Overwriting the Default LayoutLesson 2.76m 0s
-
2.8Specifying Page Titles & Meta TagsLesson 2.88m 59s
-
2.9What Code Can & Can't Be Shared Between AdonisJS & InertiaLesson 2.93m 10s
-
-
Working with Forms
-
3.0Inertia Form BasicsLesson 3.04m 15s
-
Form Validation & Displaying ErrorsLesson 3.16m 47s
-
The useForm HelperLesson 3.28m 0s
-
Common useForm Methods & OptionsLesson 3.34m 23s
-
Creating A FormInput Vue ComponentLesson 3.47m 9s
-
Cross-Site Request Forgery (CSRF) Protection in InertiaJSLesson 3.52m 55s
-
What Are Some of Inertia's LimitationsLesson 3.64m 26s
-
-
Database & Project Scaffolding
-
Understanding Our Database SchemaLesson 4.02m 18s
-
Defining Our Migrations & Foreign KeysLesson 4.113m 48s
-
Defining Our Lucid Models & RelationshipsLesson 4.219m 8s
-
Creating A Lucid Model Mixin for our Organization RelationshipLesson 4.38m 29s
-
Seeding Our Initial Database DataLesson 4.43m 39s
-
Typing Lucid Models in Inertia with DTOsLesson 4.510m 58s
-
Completing Our AppLayout & Navigation BarLesson 4.616m 31s
-
Creating A Toast Message ManagerLesson 4.715m 7s
-
-
Authentication & Onboarding
-
User Registration with InertiaJSLesson 5.08m 37s
-
Splitting Our Routes Between Auth & WebLesson 5.15m 5s
-
Logging Out UsersLesson 5.24m 20s
-
Onboarding Newly Registered UsersLesson 5.322m 31s
-
Logging In Users & Displaying ExceptionsLesson 5.410m 40s
-
Adding the Remember Me TokenLesson 5.55m 45s
-
Forgot Password & Password ResetLesson 5.629m 42s
-
-
The User's Organizations
-
Setting & Loading the User's Active OrganizationLesson 6.012m 42s
-
Listing the User's OrganizationsLesson 6.16m 42s
-
The Form Dialog Component & Adding OrganizationsLesson 6.211m 51s
-
Switching Between OrganizationsLesson 6.32m 56s
-
Creating A UseResourceActions ComposableLesson 6.48m 42s
-
Editing the Active OrganizationLesson 6.57m 0s
-
The Confirm Delete Dialog & Deleting the Active OrganizationLesson 6.618m 24s
-
-
Difficulties, Statuses, & Access Levels
-
Listing & Creating DifficultiesLesson 7.015m 14s
-
Updating DifficultiesLesson 7.14m 44s
-
Confirming & Deleting DifficultiesLesson 7.24m 15s
-
Replacing A Course's Deleted DifficultyLesson 7.316m 31s
-
Reusable VineJS Exists In Organization ValidationLesson 7.43m 38s
-
Sorting Difficulties with Drag & DropLesson 7.59m 21s
-
Creating A Reusable Sorting Vue ComponentLesson 7.64m 1s
-
Replicating Behaviors for Access Levels & StatusesLesson 7.714m 28s
-
-
Courses
-
Modules & Lessons
-
Querying & Listing Sortable Course ModulesLesson 9.014m 43s
-
Creating, Editing, & Deleting Course ModulesLesson 9.115m 57s
-
Creating & Listing Sortable Course LessonsLesson 9.219m 30s
-
Editing & Deleting Course LessonsLesson 9.35m 9s
-
Adding A Publish Date & Time InputLesson 9.48m 20s
-
Patching Tag Changes for our Modules & LessonsLesson 9.58m 42s
-
Storing Module Order Changes from Vue DraggableLesson 9.68m 31s
-
Storing Lesson Order Changes & Handling Cross-Module Drag & DropsLesson 9.715m 44s
-
-
Settings
-
Creating the Settings ShellLesson 10.08m 10s
-
User Profile SettingsLesson 10.16m 58s
-
Allowing Users to Safely Update Their Account EmailLesson 10.210m 39s
-
Alerting Users When Their Account Email Is ChangedLesson 10.34m 35s
-
Account Deletion & Cleaning Dangling OrganizationsLesson 10.410m 6s
-
Updating & Deleting an OrganizationLesson 10.510m 15s
-
-
Organization Members
-
Listing Current Organization MembersLesson 11.08m 25s
-
Sending an Invitation to Join Our OrganizationLesson 11.113m 30s
-
Accepting an Organization InvitationLesson 11.218m 4s
-
Adding the Organization Invite User InterfaceLesson 11.320m 0s
-
Canceling an Organization InviteLesson 11.46m 5s
-
Removing an Organization UserLesson 11.59m 37s
-
Refreshing Partial Page DataLesson 11.65m 17s
-
-
Authorization
-
Rolling Our Own Authorization Access ControlsLesson 12.06m 55s
-
Applying Our Server-Side Authorization ChecksLesson 12.113m 0s
-
Applying Our Authorization UI ChecksLesson 12.26m 23s
-
Setting Up Secondary TailwindCSS Config & CSS File for our Landing PageLesson 12.38m 43s
-
Restricting Login Attempts with Rate LimitingLesson 12.49m 24s
-
Clearing Login Attempt Rate Limits on Password ResetLesson 12.54m 31s
-
-
InertiaJS 2
-
Upgrading to Inertia 2Lesson 13.011m 53s
-
Polling for Changes in InertiaJS 2Lesson 13.14m 12s
-
Prefetching Page to Boost Load Times in InertiaJS 2Lesson 13.211m 26s
-
Defer Loading Props in InertiaJS 2Lesson 13.35m 55s
-
Deferring A Prop Load Until it is Visible in InertiaJS 2Lesson 13.44m 27s
-
Super Easy Infinite Scroll in InertiaJS 2 with Prop MergingLesson 13.511m 9s
-
Join The Discussion! (8 Comments)
Please sign in or sign up for free to join in on the dicussion.
emilien
Hi Tom, I'm currently building a task management application, and I find it pretty similiar to your project in termes of "architecture". I have a workspace model that could be assimilated to your organization model. So when it comes to setting the active workspace feature I did the same thing as you did, same for ACL, abilities etc. So basically if the authenticated user is not a member of a workspace, it doesn't appear in his list of workspaces and then cannot set it as active.
But I'm facing a problem when I tried to get access to a workspace page, that the authenticated user is not a member of by putting the workspace id in the URL. Since my user has another active workspace in which his role is ADMIN, then, the user can access the workspace even if he's not a member of it.
I was asking myself if you managed it, if I missed something, or if it's "normal" and I need to modify how I check the user's role and stop using the active workspace ?
Sorry, I think this is not very clear, pretty hard to explain it since I'm a bit lost in all of those concepts 😅
Please sign in or sign up for free to reply
tomgobich
Hi emilien! I think I'm following correctly, but let me know if this sounds off base.
So, we manage this with our organizations by querying the active org through the authenticated user, which ensures the user is a member of the org. If the user sets an id of an org that they aren't a member of, our query won't find a match and will instead overwrite the user's active org to the first org found that they're a member of.
For our application, the active organization is determined via a cookie. It sounds like you might have this set up as a route parameter.
If that's the case, ensure you attempt to query the workspace through the authenticated user. If a workspace is not found, you'll want to either:
Throw an unauthorized exception to prevent the user from working with the workspace. You can then offer some button to take them back to safety.
Or, find a valid workspace for the user and redirect them to it. You'll also want to notify them that they did not have access to the previously requested workspace.
The first option there probably being the best as it will ensure the user knows what happened. You don't want to continue onward as the URL contains an invalid id for the user, which could accidentally be used to load something or on subsequent requests sent from whatever page is rendered as a result.
Hopefully that's at least a little on point and helps a little. If not, please feel free to share your query/flow, or a representation of it, and I can try and see if anything stands out.
Please sign in or sign up for free to reply
emilien
Hi Tom, thanks for your reply. After reading my first comment, I think I was not clear at all 😅
I also use a cookie for the active workspace.
I'll try to explain my problem a little bit better :
user A is member and admin of workspace A → id = 1
user B is member and admin of workspace B → id = 2
Everything is fine for the moment, according to my ACL if the user A goes to '/workspaces/1' he can see the page. Same for user B if '/workspaces/2'. This URL will trigger the
show()method in WorkspacesController. You won't see the use of the ACL in this method in the repo cause I did not commited, but I used it like you do in your tutorial.My problem is that if for some reasons, the user B goes to '/workspaces/1', he can still view the workspace, however he's not a member of it. I reproduced the same logic as you did to get the active workspace
I probably have missed something or there is a point that I do not understand. Maybe you already pointed it out in your answer, and if that's the case, I'm sorry. But I'm a bit confused, it's the first time that I have to work with permissions.
Please sign in or sign up for free to reply
tomgobich
Alrighty, I think I see what's going on! Where your project differs is that your
/workspaces/:idroute merely renders a page. In our project, and even in yourmainbranch, this instead sets the active org/workspace in our PlotMyCourse & on your main branch, then redirects back to the dashboard.Where I think the confusion comes in is the
/:idin your/workspaces/:idroute is merely symbolic since you're actually loading the workspace via the user's cookie. So, the displayed workspace is whatever is stored in the cookie and not what is provided via the route parameter id. Things do seem to still be working, the issue is that the id in the url can differ from what is actually displayed. Which, can lead to issues if you were to ever actually use the url's id for something.So, to prevent that possibility, I would either
Stick to the cookie and get rid of the
/:idin your/workspaces/:idroute to instead have something like:/workspaceor/workspaces/showOr, drop the cookie and instead use the id route parameter.
To add, there isn't an issue with using
/workspaces/:id/activeto set the active workspace. The issue is that the new/workspaces/:idroute that shows the workspace has two spots it could pull the id from; the id route parameter in the url and the cookie, and those can differ from one another.Here's a video walkthrough of the behavior I was seeing on your
feat/workspace-rolesbranch. This shows how user-a could request workspace b via/workspaces/2but actually still saw workspace a; meaning the id in the url did not match the workspace used.Here's another walkthrough of the behavior I saw on your
mainbranch. In this branch everything works fine.Hope this helps!!
Please sign in or sign up for free to reply
emilien
Of course this helps, could have spent a lot of time on this. That is so obvious with your explanation… Thanks a lot. Oh I feel so dumb, I created a route with a parameter that I don't use…
I think I also need to take time to document the flow of setting an active workspace etc and understand it much better. Completely forgot that the middleware kind of "block" access to workspaces that the user is not a member of.
Thanks again Tom ! Loving your tutorials and your fast answers to comments ! 😊
Please sign in or sign up for free to reply
tomgobich
Awesome, glad to hear that helped clear things up! Ah, please don't feel dumb about that, it is just a small oversight. We've all done a lot worse!! 😊
That sounds like a great plan! Having a document/diagram of how things work would definitely help. That's something I'd like to make a more concerted effort to do in-lesson.
Anytime emilien!! Always happy to help where I can! 😊
Please sign in or sign up for free to reply
emilien
I've tried to make a flowchart of the middleware and how it uses both, GetActive and SetActive actions. It is related to my use case (workspace and not organization) though, but I think the logic stays the same.
I don't know if you'll find it useful, but just in case, here it is. Let me know if there are any errors or inconsistencies. It was really interesting to do and taught me a lot, maybe I could help with this kind of thing if needed, don't hesitate, it would be a pleasure.
Please sign in or sign up for free to reply
tomgobich
Oh nice! Yeah, this looks spot on, nicely done emilien! Thank you, I really appreciate that offer! I'm happy to hear that going through this was fruitful!! 😃
Please sign in or sign up for free to reply