The first pass at these endpoints are probably going to be merged without performing authorization checks. This ticket is meant to track the task of actually enforcing authorization checks for these endpoints, which we'll want before launch.
Specifically, for the MVP, we want to enforce that the authenticated user (via the JWT) matches the user in the actual database user_id foreign key column for each of these resources.
Post-MVP, we may want to loosen this if we want to enable a feature for users to share bookmarks, folders, or saved searches with each other, but we need a lot more discussion about how that should work in our app.
The first pass at these endpoints are probably going to be merged without performing authorization checks. This ticket is meant to track the task of actually enforcing authorization checks for these endpoints, which we'll want before launch.
Specifically, for the MVP, we want to enforce that the authenticated user (via the JWT) matches the user in the actual database user_id foreign key column for each of these resources.
Post-MVP, we may want to loosen this if we want to enable a feature for users to share bookmarks, folders, or saved searches with each other, but we need a lot more discussion about how that should work in our app.