alittlebroken
commented
1 year ago Perhaps the solution would be to ensure that each DB query also included the userId of the logged in user
Open alittlebroken opened 1 year ago
alittlebroken
commented
1 year ago Perhaps the solution would be to ensure that each DB query also included the userId of the logged in user
alittlebroken
commented
1 year ago This should be fixed in theory when we use middleware to extract the user info and assign to the req object.
We can then modify all routes when selecting user specific data to extract id from here.
The token stays small and is not acting like a session.
As title suggests a logged in user can manipulate the various request parameters and end up deleting records that do not belong to them, essentially given them an admin role even if they are not.