Prasad108
commented
6 years ago Hi @RahulSawale , u can have look at this issue and resolve it, as it do not require any front end (angular js)knowledge.
proposed solution
- Create method which will check that whether the data user is asking belongs to his own institute and
- Does he have permission for that operation .
- If he has both things- 'relevant data(ie. of his institute) + permission' then API should proceed with normal flow.
- If he do not have permission API should simply return him response that- operation failed due to not enough permissions to access the data.
One institute should not be able to see /edit / delete / create any kind of data of other institutes.