Reviewing Authorization Hooks 0:00Let's review the homework solution. So we need to set up global before and after authorization hooks. And here's an example of why you might want that. In this case, I'm signed in as myself. And sure enough, if I created the thread, I have permission to choose a comment as the best reply. But for any other thread, because I didn't create it, I don't have that permission. However, what if I am the administrator of the site? What if I own the site? In those situations, I should be able to do anything I want. Adding Policy Before Hook 0:29What if I own the site? In those situations, I should be able to do anything I want. But at the moment, we can't. So again, this is where authorization hooks come into play. We can do this on two levels. First, let's go to our conversation policy, and I can add a method before that accepts my user. This will fire before the actual authorization ability is tested. Okay, so here we could say, well, if the user is an administrator, maybe you have a method like this.Okay, so here we could say, well, if the user is an administrator, maybe you have a method like this. Or maybe you're going to check the roles if you have something like that set up. Or maybe you're just checking the ID. Let's go to SQLPro. For this example, I have an ID of 13. But yeah, again, maybe there's a column on this table called Admin. You can keep it as simple as you need to. But I'm only going to check the ID. If the ID is 13, and we'll just say Admin here, then return true. Avoiding Early Returns 1:19But I'm only going to check the ID. If the ID is 13, and we'll just say Admin here, then return true. Now if I switch back and give it a refresh, there we go. Because I'm an administrator, I have full authorization. But now a quick little warning. Make sure you run your conditions like this. Or in other words, don't return no matter what. So we're not only returning a Boolean here, and I'll show you what I mean by that. If we switch back and give it a refresh, you think, oh, still works, we're good to go.If we switch back and give it a refresh, you think, oh, still works, we're good to go. But we've actually changed the flow and the functionality. And it's not what we want. So what happens is if we return a non-null response from this method, it'll be treated as the result of the policy, meaning the method never gets called. Let's just die. We'll say hello there. And if I switch back and refresh, we never call that method. However, if we comment out the before hook, now we do.And if I switch back and refresh, we never call that method. However, if we comment out the before hook, now we do. All right, so this is important. We're starting to see, all right, because I return from the before hook, we never move on to the next step because the result of this is assumed to be your response. So this is why we should change it to if the user ID is 13, then you're good to go. But notice I never do anything like this. Okay, so now if we give it a refresh, it works. But let's make it fail. Let's say I'm not an administrator. Moving Hooks to Gate 2:45But let's make it fail. Let's say I'm not an administrator. If I give it a refresh, now we do drop down and we call the actual ability method. And this is what we want. So just keep that in mind. All right, so this is policy-specific authorization hooks. And by the way, you can also do one after this ability is tested if you need to. However, for situations like checking for an administrator, I don't want to do this for every single policy. So why don't we move up a level and handle it globally? Implementing Global Before Hook 3:12for every single policy. So why don't we move up a level and handle it globally? So once again, if I switch back, give it a refresh, I'm an administrator, but I still can't see that best reply button. All right, I'm going to return to my auth service provider, and we'll handle it up here. We'll say gate, and I'll add a global before hook here. So now this is going to look the same. If the user ID is 13, then you're an administrator and you're good to go. Otherwise, continue on with your check. So we come back, we give it a refresh, and now once again, if the user ID is 13, we instantlyOtherwise, continue on with your check. So we come back, we give it a refresh, and now once again, if the user ID is 13, we instantly return true.
