I try to define the right way to handle this case:
I have a backend with permissions. For example a CRUD on a user.
Someone with the permission
'Admin: users: update'
can update all users. Another one that needs to update it's own profile and only it's own profile. If i give him the permission 'admin: users: update' it will be able to achieve this. But he will be able to update all users.
This is a critical issue.
So i need another permission. Call it
'Admin: users: self: update'
.
How to handle this in my code. I use ExpressJS, passport and express-authorize.
The function that handle the update request is:
.put([passport.authenticate('jwt', { session: false }), authorization.authorizer.isPermitted('admin:users:update')], function (req, res) {
I have thought of 3 solutions:
1. Make another route and duplicate user update code. 2. Make a statement in the update 3. Make another custom middleware. (1)
Solution 3 seems to be the best for me but i have not thought about it's implementation.
Any Idea
via Scandinave
No comments:
Post a Comment