Current section: Protecting Routes 6 exercises

Securing User Access

Loading exercise


00:00 You want to see something really cool? I can go to my notes here and I can create a new note. Well, what's a little less cool is I can actually do that from an unauthenticated user as well. So LOL, I pick my nose. Of course, the thing that you would say if you wanted to troll somebody. So

00:19 yeah, definitely not something that we want people to be able to do. And so your job is to make it so they can't. Not only can they not get to the new page, but you also want to make it so they can't get to the edit page either. So not only not get there, but also not perform any actions there, because remember all of your loader and action functions, those are API routes, like you could

00:39 actually hit them directly. So your job is to kind of lock some of that stuff down. And it's more than just whether or not the user ID exists, whether the user's logged in, but if they have

00:52 access to this. So like, for example, here I am logged in as Cody, but I can still go to this edit page as well. So yeah, you want to make sure that not only are they logged in, but also their

01:08 username matches the username in the URL search params here. So they've got to be the owner of the note to be able to make this edit. And that's what you're going to be enforcing. So good luck. Have a good time.