JesseBarron
commented
7 years ago Users can see and change their admin status using chrome dev-tools. Not good.
Solution, When the app initializes and fetches data, a thunk will be invoked and determines whether the user can see the admin link or not based on their status. All this will be done behind the scenes so there's no way the user can even know about it
As an administrator I'd like access to the user's api in order to make update or remove users. However I would like the api to be secure enough so that anyone who isn't an admin won't have access.
Add security to the website