1
00:00:02,009 --> 00:00:04,820
Now we are handling problematic user input,

2
00:00:04,820 --> 00:00:05,653
and we do have

3
00:00:05,653 --> 00:00:08,390
the authentication flow that does allow us to log in,

4
00:00:08,390 --> 00:00:10,670
if we have valid credentials.

5
00:00:10,670 --> 00:00:12,850
Now it's time to make the next step

6
00:00:12,850 --> 00:00:15,630
and work on this administration area,

7
00:00:15,630 --> 00:00:18,240
where administrators can add

8
00:00:18,240 --> 00:00:19,713
new products and so on.

9
00:00:20,700 --> 00:00:21,550
For this of course,

10
00:00:21,550 --> 00:00:23,700
we also need a way of differentiating

11
00:00:23,700 --> 00:00:25,550
between normal users

12
00:00:25,550 --> 00:00:26,890
and administrators.

13
00:00:26,890 --> 00:00:28,410
We don't have that yet.

14
00:00:28,410 --> 00:00:30,670
And we also might want to work,

15
00:00:30,670 --> 00:00:32,780
on our navigation bar a little bit,

16
00:00:32,780 --> 00:00:35,610
so that we can navigate to different areas.

17
00:00:35,610 --> 00:00:37,052
Like for example,

18
00:00:37,052 --> 00:00:39,690
the manage products area

19
00:00:39,690 --> 00:00:40,553
with these.

20
00:00:41,410 --> 00:00:44,420
So couple of things to do let's first of all,

21
00:00:44,420 --> 00:00:48,600
start by actually having administrators.

22
00:00:48,600 --> 00:00:49,740
And right now, of course,

23
00:00:49,740 --> 00:00:52,550
every user that signs up is a regular user.

24
00:00:52,550 --> 00:00:56,163
We have no way of telling administrators and users apart.

25
00:00:57,120 --> 00:00:59,270
This happens on purpose here.

26
00:00:59,270 --> 00:01:00,410
I mean, after all,

27
00:01:00,410 --> 00:01:04,530
this is a user facing website here or it soon will be,

28
00:01:04,530 --> 00:01:06,320
and I don't want to make every user

29
00:01:06,320 --> 00:01:08,410
an administrator by default.

30
00:01:08,410 --> 00:01:11,180
Instead, this is my personal online shop.

31
00:01:11,180 --> 00:01:12,450
So what I will do here,

32
00:01:12,450 --> 00:01:14,650
is I'll not build a fancy web

33
00:01:14,650 --> 00:01:17,090
interface for managing users,

34
00:01:17,090 --> 00:01:19,890
you could do that as an extra challenge,

35
00:01:19,890 --> 00:01:23,000
but instead I will just directly go to the database

36
00:01:23,000 --> 00:01:26,240
and turn a user of my choice, myself,

37
00:01:26,240 --> 00:01:29,960
into an administrator by adding an extra flag there,

38
00:01:29,960 --> 00:01:31,870
like an is admin field,

39
00:01:31,870 --> 00:01:34,410
for which I can then check in my code.

40
00:01:34,410 --> 00:01:35,630
Now for this here,

41
00:01:35,630 --> 00:01:39,000
I use the Mongo shell to connect to my Mongo DB database,

42
00:01:39,000 --> 00:01:41,070
which is running on my system.

43
00:01:41,070 --> 00:01:43,570
I'm using my online shop database,

44
00:01:43,570 --> 00:01:46,460
which is the database we are interacting with in this

45
00:01:46,460 --> 00:01:48,310
website we're building.

46
00:01:48,310 --> 00:01:49,690
And there, of course we can,

47
00:01:49,690 --> 00:01:51,890
first of all, find all the users we have.

48
00:01:51,890 --> 00:01:54,573
And in my case, I created two users.

49
00:01:55,650 --> 00:01:58,020
Now I do want to turn this first user,

50
00:01:58,020 --> 00:01:59,010
myself,

51
00:01:59,010 --> 00:02:00,620
into an administrator,

52
00:02:00,620 --> 00:02:03,400
and to do that, I'll grab the id of that user,

53
00:02:03,400 --> 00:02:05,453
this entire object ID thing,

54
00:02:06,400 --> 00:02:11,400
and then run DB users dot update one to update one user.

55
00:02:12,400 --> 00:02:15,340
And then I pass a first parameter value,

56
00:02:15,340 --> 00:02:16,389
which identifies the user.

57
00:02:16,389 --> 00:02:17,760
And here I said,

58
00:02:17,760 --> 00:02:19,740
ID equal to that object ID

59
00:02:20,920 --> 00:02:22,910
and then separated by a comma.

60
00:02:22,910 --> 00:02:26,463
I have a second object, which describes the update.

61
00:02:27,520 --> 00:02:29,400
And here we use dollar sign set.

62
00:02:29,400 --> 00:02:33,840
As you learned earlier in the course to set specific fields

63
00:02:33,840 --> 00:02:36,920
on that user object to a new value.

64
00:02:36,920 --> 00:02:40,510
And I will pass an object to set where I then described the

65
00:02:40,510 --> 00:02:43,610
fields that should be set to a new value.

66
00:02:43,610 --> 00:02:46,370
And I won't change any of the existing fields here.

67
00:02:46,370 --> 00:02:49,943
Instead, I just add an is admin field and set this to true.

68
00:02:50,820 --> 00:02:53,930
So only that user with that ID will have,

69
00:02:53,930 --> 00:02:56,623
that is admin field, which is set to true then.

70
00:02:57,750 --> 00:03:00,570
If I hit enter you see this is confirmed,

71
00:03:00,570 --> 00:03:03,370
and if I now find all users again,

72
00:03:03,370 --> 00:03:05,880
we see that here we have the is admin field.

73
00:03:05,880 --> 00:03:08,053
And we only have that on that user.

74
00:03:09,000 --> 00:03:10,040
Therefore in the future,

75
00:03:10,040 --> 00:03:11,118
we can check for that field

76
00:03:11,118 --> 00:03:15,020
and then know that this is an administrator.

77
00:03:15,020 --> 00:03:16,470
And that's what I'll do next.

78
00:03:16,470 --> 00:03:18,580
Back here in our code,

79
00:03:18,580 --> 00:03:21,280
I will go to this check off middleware,

80
00:03:21,280 --> 00:03:23,280
where I'm already getting the user id's.

81
00:03:25,609 --> 00:03:26,960
There, I also want to find out

82
00:03:26,960 --> 00:03:30,560
if a user is an administrator.

83
00:03:30,560 --> 00:03:31,920
Now to do that,

84
00:03:31,920 --> 00:03:34,913
I need to get more data about that user,

85
00:03:35,770 --> 00:03:36,710
because at the moment,

86
00:03:36,710 --> 00:03:39,640
we're only storing the user ID in the session.

87
00:03:39,640 --> 00:03:42,800
Now I will actually go to the auth controller,

88
00:03:42,800 --> 00:03:44,250
to the log in function,

89
00:03:44,250 --> 00:03:47,160
where we do populate our session data,

90
00:03:47,160 --> 00:03:49,170
because there in the end,

91
00:03:49,170 --> 00:03:51,300
after we checked for all the credentials,

92
00:03:51,300 --> 00:03:53,173
we create that user session.

93
00:03:54,230 --> 00:03:57,440
So if we now go to this utility function here in

94
00:03:57,440 --> 00:03:59,060
authentication JS,

95
00:03:59,060 --> 00:04:00,710
where I create the user session,

96
00:04:00,710 --> 00:04:02,690
Here I'm storing the user ID.

97
00:04:02,690 --> 00:04:05,380
And here I now also want to store the,

98
00:04:05,380 --> 00:04:07,960
is admin flag into session

99
00:04:07,960 --> 00:04:09,830
and get that from the user object,

100
00:04:09,830 --> 00:04:13,210
which I'm getting, where I access is admin.

101
00:04:13,210 --> 00:04:16,870
And for most users, this will simply be undefined.

102
00:04:16,870 --> 00:04:19,930
Since most users don't have the is admin field in the

103
00:04:19,930 --> 00:04:22,760
database, but for the administration user,

104
00:04:22,760 --> 00:04:25,130
with that password, and with that email here,

105
00:04:25,130 --> 00:04:27,340
we will have true instead.

106
00:04:27,340 --> 00:04:30,030
So that will then also be stored into session.

107
00:04:30,030 --> 00:04:31,510
And back in check off,

108
00:04:31,510 --> 00:04:33,720
we can therefor extract this.

109
00:04:33,720 --> 00:04:35,020
Here,

110
00:04:35,020 --> 00:04:37,440
I can set res locals

111
00:04:37,440 --> 00:04:38,820
is admin,

112
00:04:38,820 --> 00:04:41,780
so that we have does own this global variable that's

113
00:04:41,780 --> 00:04:43,563
available in all the templates,

114
00:04:44,912 --> 00:04:47,740
equal to rec session.is admin,

115
00:04:47,740 --> 00:04:50,660
which is either undefined for most users

116
00:04:50,660 --> 00:04:52,503
or true for some users.

117
00:04:54,420 --> 00:04:58,030
And now we can work on the navigation and unlock more

118
00:04:58,030 --> 00:05:02,090
options for administrators, then we do for other users.

119
00:05:02,090 --> 00:05:04,560
So in the included header.ejs file,

120
00:05:04,560 --> 00:05:06,923
we can now work on the nav items.

121
00:05:07,820 --> 00:05:11,420
In here in this unordered list of nav items.

122
00:05:11,420 --> 00:05:14,000
I at the moment only have to log out button if you are

123
00:05:14,000 --> 00:05:15,410
authenticated.

124
00:05:15,410 --> 00:05:16,243
And that's good.

125
00:05:16,243 --> 00:05:17,440
I want to have that button,

126
00:05:17,440 --> 00:05:20,730
but now I want to have more options for administrators and

127
00:05:20,730 --> 00:05:23,113
other options for non administrators.

128
00:05:24,400 --> 00:05:27,620
Now let's maybe start with the non admin options.

129
00:05:27,620 --> 00:05:31,480
All users actually, no matter if they are logged in or not,

130
00:05:31,480 --> 00:05:34,410
should be able to view all the products,

131
00:05:34,410 --> 00:05:35,520
because you should be able to

132
00:05:35,520 --> 00:05:38,403
browse the products without being logged in.

133
00:05:39,240 --> 00:05:42,780
So I'll add a new list item here with an anchor tag that

134
00:05:42,780 --> 00:05:44,600
leads to slash nothing

135
00:05:44,600 --> 00:05:46,810
which says shop, where you can view

136
00:05:46,810 --> 00:05:47,993
all the products.

137
00:05:49,260 --> 00:05:50,093
Actually,

138
00:05:50,093 --> 00:05:52,950
you should also be able to add products to the cart,

139
00:05:52,950 --> 00:05:54,170
to the shopping cart,

140
00:05:54,170 --> 00:05:55,810
and to view your shopping cart

141
00:05:55,810 --> 00:05:57,740
without being logged in.

142
00:05:57,740 --> 00:05:59,940
This might sound like it shouldn't work,

143
00:05:59,940 --> 00:06:01,620
because our shopping cart clearly

144
00:06:01,620 --> 00:06:05,050
has to be connected to a specific user,

145
00:06:05,050 --> 00:06:07,610
but we will be able to connect that to a user

146
00:06:07,610 --> 00:06:09,380
with help of sessions.

147
00:06:09,380 --> 00:06:13,270
So therefore, we can actually add a cart link that leads to

148
00:06:13,270 --> 00:06:17,253
slash cart, which will also always be accessible.

149
00:06:19,070 --> 00:06:21,950
Now, we then also have a couple of links or

150
00:06:21,950 --> 00:06:23,150
one link at least,

151
00:06:23,150 --> 00:06:24,720
that should only be accessible

152
00:06:24,720 --> 00:06:27,290
if you are logged in.

153
00:06:27,290 --> 00:06:29,920
And that is the link to the orders.

154
00:06:29,920 --> 00:06:32,120
So here I'll add an orders link,

155
00:06:32,120 --> 00:06:33,900
and that is a link

156
00:06:33,900 --> 00:06:37,010
that should be protected with this kind of check.

157
00:06:37,010 --> 00:06:38,910
So I'll repeat this here.

158
00:06:38,910 --> 00:06:43,540
Check if you are authenticated and only show this orders

159
00:06:43,540 --> 00:06:44,593
link, if you are.

160
00:06:45,660 --> 00:06:49,150
I'm not moving it into this existing check block here,

161
00:06:49,150 --> 00:06:50,760
because in between,

162
00:06:50,760 --> 00:06:52,670
I want to have a couple of other options,

163
00:06:52,670 --> 00:06:55,870
which you only see if you are an administrator.

164
00:06:55,870 --> 00:07:00,440
So here I want to check if locals.is admin is truthy.

165
00:07:00,440 --> 00:07:04,430
So if it's true to be precise and in that case,

166
00:07:04,430 --> 00:07:05,540
and only in that case,

167
00:07:05,540 --> 00:07:08,803
I want to show some administration exclusive options.

168
00:07:09,900 --> 00:07:12,400
So in here we have more list items.

169
00:07:12,400 --> 00:07:13,233
For example,

170
00:07:13,233 --> 00:07:14,690
we might have a link to let's say,

171
00:07:14,690 --> 00:07:17,820
slash admin slash products.

172
00:07:17,820 --> 00:07:21,410
And we will add routes for all those links later,

173
00:07:21,410 --> 00:07:24,510
where we say manage products.

174
00:07:24,510 --> 00:07:25,560
That could be one link,

175
00:07:25,560 --> 00:07:28,120
which you only see as an administrator.

176
00:07:28,120 --> 00:07:29,300
And right now, by the way,

177
00:07:29,300 --> 00:07:32,060
it won't work since we're not supporting this route yet,

178
00:07:32,060 --> 00:07:33,853
but that is something we'll change.

179
00:07:34,870 --> 00:07:38,620
We might also have a link to slash admin slash orders

180
00:07:38,620 --> 00:07:40,500
where you can manage all the orders

181
00:07:40,500 --> 00:07:42,573
that have been placed by customers.

182
00:07:44,130 --> 00:07:47,200
So that's now administration exclusive.

183
00:07:47,200 --> 00:07:49,570
And actually, if you are an administrator,

184
00:07:49,570 --> 00:07:52,940
you should not see the regular shop links.

185
00:07:52,940 --> 00:07:54,690
So here, for example, for orders,

186
00:07:54,690 --> 00:07:57,220
I'll not just check if you are authenticated,

187
00:07:57,220 --> 00:08:00,490
but also if you are not an admin.

188
00:08:00,490 --> 00:08:01,771
So,

189
00:08:01,771 --> 00:08:03,890
and not is admin,

190
00:08:03,890 --> 00:08:05,420
because if you are an admin,

191
00:08:05,420 --> 00:08:08,360
you're not a regular user and you then should not be able to

192
00:08:08,360 --> 00:08:12,010
see the regular customer facing orders part.

193
00:08:12,010 --> 00:08:15,473
You're only having your management options, in that case.

194
00:08:16,330 --> 00:08:18,530
You should also not see these links here.

195
00:08:18,530 --> 00:08:20,920
So here I'll also check if,

196
00:08:20,920 --> 00:08:23,240
not locals is admin.

197
00:08:23,240 --> 00:08:26,170
And I only show these navigation items here,

198
00:08:26,170 --> 00:08:28,623
if you aren't an admin.

199
00:08:29,480 --> 00:08:30,870
So here,

200
00:08:30,870 --> 00:08:32,600
let's make sure,

201
00:08:32,600 --> 00:08:35,820
we always include that in such a block.

202
00:08:35,820 --> 00:08:37,929
So that you see the regular shelf only

203
00:08:37,929 --> 00:08:39,990
if you're not an admin.

204
00:08:39,990 --> 00:08:42,429
So if you're logged in as a different user,

205
00:08:42,429 --> 00:08:44,963
or if you're not logged in at all actually.

206
00:08:46,510 --> 00:08:48,950
The log out button should always be visible.

207
00:08:48,950 --> 00:08:50,310
And now last but not least,

208
00:08:50,310 --> 00:08:53,530
there are only two navigation options left,

209
00:08:53,530 --> 00:08:56,290
which you should see if you're not logged in.

210
00:08:56,290 --> 00:08:57,700
And that are the options

211
00:08:57,700 --> 00:09:01,050
to visit the sign up and login pages.

212
00:09:01,050 --> 00:09:03,470
So here we have a link to sign up,

213
00:09:03,470 --> 00:09:05,510
which says sign up,

214
00:09:05,510 --> 00:09:07,940
and we have a never link here,

215
00:09:07,940 --> 00:09:10,440
which leads to slash log in

216
00:09:10,440 --> 00:09:11,980
which says login.

217
00:09:11,980 --> 00:09:15,428
And these should only be visible if you're not logged in.

218
00:09:15,428 --> 00:09:19,100
So here we'll check if not locals is off,

219
00:09:19,100 --> 00:09:20,910
if you're not logged in,

220
00:09:20,910 --> 00:09:23,470
then you will see these two links.

221
00:09:23,470 --> 00:09:26,170
Otherwise, if you are a logged in user,

222
00:09:26,170 --> 00:09:28,210
it makes no sense to log in again.

223
00:09:28,210 --> 00:09:31,083
So then I won't show these options to you.

224
00:09:33,660 --> 00:09:35,730
And that's now the navigation part

225
00:09:35,730 --> 00:09:38,910
with a bunch of checks and rules.

226
00:09:38,910 --> 00:09:43,460
And here I'm missing an if statement in the first check.

227
00:09:43,460 --> 00:09:45,510
Now that's valid.

228
00:09:45,510 --> 00:09:46,630
And with that,

229
00:09:46,630 --> 00:09:49,230
we should ensure that different options are shown to

230
00:09:49,230 --> 00:09:50,960
different users.

231
00:09:50,960 --> 00:09:52,430
Still, we have no styling,

232
00:09:52,430 --> 00:09:55,113
but at least we have the proper options in place now.

233
00:09:56,350 --> 00:09:57,183
Hence now,

234
00:09:57,183 --> 00:09:59,490
if you go back and reload as a logged in user,

235
00:09:59,490 --> 00:10:00,323
you can tell,

236
00:10:00,323 --> 00:10:01,156
I see the shop,

237
00:10:01,156 --> 00:10:03,140
the cart and the orders.

238
00:10:03,140 --> 00:10:04,250
And I logged in before

239
00:10:04,250 --> 00:10:06,500
I added all the administration checks,

240
00:10:06,500 --> 00:10:07,333
so right now,

241
00:10:07,333 --> 00:10:09,023
this is a non admin user.

242
00:10:09,890 --> 00:10:11,940
If I do log out,

243
00:10:11,940 --> 00:10:15,580
I see shop and cart and sign up and log in as I should and

244
00:10:15,580 --> 00:10:17,840
sign up and log in also work.

245
00:10:17,840 --> 00:10:21,150
And if I now do log in as the administrator here

246
00:10:25,140 --> 00:10:26,730
like this,

247
00:10:26,730 --> 00:10:29,830
then I only see my management options and log out.

248
00:10:29,830 --> 00:10:31,540
So that seems to work.

249
00:10:31,540 --> 00:10:32,373
Of course,

250
00:10:32,373 --> 00:10:35,870
what's not really working is the look of the navigation.

251
00:10:35,870 --> 00:10:38,520
That's something we want to change because that of course

252
00:10:38,520 --> 00:10:39,923
should look a bit prettier.