Added code to prevent any authenticated user from submitting news posts by checking if they are an admin in the query
Added function comment to shouldBlockApiCall explaining what it does
How Has This Been Tested?
Tested the submitNewsPost API endpoint in Postman:
With session cookie and user ID of admin user specified in the request, the news post is created.
With session cookie and user ID of a non-admin user specified, Error: Unauthorized is returned.
If the userId provided is an admin user but the session cookie does not match the session of this userId, the request will be blocked (existing functionality) with the error Forbidden.
What's Changed
shouldBlockApiCall
explaining what it doesHow Has This Been Tested?
Tested the
submitNewsPost
API endpoint in Postman:Error: Unauthorized
is returned.userId
provided is an admin user but the session cookie does not match thesession
of thisuserId
, the request will be blocked (existing functionality) with the errorForbidden
.