JPM709
commented
3 years ago All interactions between Client and Server (except registering a user) that GETs or POSTs to/from DB must pass through authorization middleware function. authorize.js now has better error handling (see issue #62 ).
On anything that CREATES data (except for creating users), we insert with the user's ID as the creating user ID, so we can check that the user only gets what they have created and nothing else.
On anything that UPDATES data we check that the column with the User's ID is equal to the requesting user (from cookie) before we do anything otherwise ERROR.