search

dchester / epilogue

Create flexible REST endpoints and controllers from Sequelize models in your Express app
846 stars 116 forks source link

How to authorize different entities within a resource? #202

Closed tcosentino closed 7 years ago

tcosentino commented 7 years ago

How would i go about protecting certain entities within a single resource? For example if I have a resource for Books that belong to a User entity, how would I restrict GET Books to only return those belongings to my user?

My thought is to use the auth milestone to store the current user in the context, then somehow use that to restrict the query?

Thanks in advance, loving epilogue so far.

tcosentino commented 7 years ago

I can essentially do this:

listResource.list.auth((req, res, context) => {
  // TODO: make this not a hard coded user id
  context.criteria = Object.assign({}, context.criteria, {
    userId: 1,
  });

  return context.continue;
});

But then how would I, for example, provide an error message for something that exists but I do not have access to it? This would be on the read action..

listResource.read.auth((req, res, context) => {
  // TODO: make this not a hard coded user id
  context.criteria = Object.assign({}, context.criteria, {
    userId: 1,
  });

  return context.continue;
});

But this will just give me a 404 if I am looking for a list that does not have a userId of 1

petekeller2 commented 7 years ago 
res.status(401).send({ 'error message' });
return context.stop;