diff --git a/02 Forms and Authentication.md b/02 Forms and Authentication.md index 7d437c4..e398835 100644 --- a/02 Forms and Authentication.md +++ b/02 Forms and Authentication.md @@ -83,13 +83,14 @@ So how can we improve this security? The simplest way is to use AES256-GCM encry In this section we will be implementing more granular authorisation by creating an admin-only area on the website: -1. Add an extra boolean field to the database called `admin` with a default value of `false`. -2. Manually modify one of your registered accounts and change the stored value to `true`, this will be your admin user. -3. When a user logs in, check this field and, if it is set to true, create a new session variable called `admin` and assign it a value of `true`. -4. Create a new admin page, `admin.handlebars` and make sure it is protected in the same way as the home page. -5. Create a link to this new page from the homepage. -6. Modify the page so that, if the user does not have admin authorisation they get redirected back to the home page which should display a message **You do not have admin privileges!**. -7. Modify the secure page so that it displays the username of the currently logged-in user: +1. Create a secure admin page: + 1. Add an extra boolean field to the database called `admin` with a default value of `false`. + 2. Manually modify one of your registered accounts and change the stored value to `true`, this will be your admin user. + 3. When a user logs in, check this field and, if it is set to true, create a new session variable called `admin` and assign it a value of `true`. + 4. Create a new admin page, `admin.handlebars` and make sure it is protected in the same way as the home page. + 5. Create a link to this new page from the homepage. + 6. Modify the page so that, if the user does not have admin authorisation they get redirected back to the home page which should display a message **You do not have admin privileges!**. +2. Modify the secure pages (home and admin) so that they displays the username of the currently logged-in user: 1. Start by modifying the `post('login')` callback, adding a second key called `username` to the `ctx.session` object to store the username. 2. Modify the code that logs the user out to remove this key. 3. Now change the callback for the secure home page so that it sends this data to the handlebars template.