In our blog, the first registered user will be the admin. The admin user will be able to create new blog posts, edit posts and delete posts.
1. The first user's id is 1. We can use this in index.html and post.html to make sure that only the admin user can see the "Create New Post" and "Edit Post" and Delete buttons.
This is what you're aiming for:
2. Just because a user can't see the buttons, they can still manually access the /edit-post or /new-post or /delete routes. Protect these routes by writing your own Python decorator called @admin_only.
If the current_user's id is 1 then they can access those routes, otherwise, they should get a 403 error (not authorised).
This is what you're aiming for:
HINT 1: You might need to review the lessons on Python Decorators on day 54.
HINT 2: Your decorator needs to do something similar to Flask's @login_required decorator. Take a look how this code is implemented to figure out how to write your own decorator.
HINT 3: The abort() function is quick way to return HTTP errors like 403 or 404: