Open alia5gar opened 2 years ago
Not very clear about your question, if you need to update any fields about the user, just call the updateUserById
function.
There is already a route to update the users
and the route is restricted by the permission of manageUsers
and the body is validated using updateUser
validation.
if I want to update the email verified
and roles
fields. I will have to add those fields to updateUser
validation which will give access to the users themselves to update that fields which is not what we want
I want to know how you can solve such a problem not just for one entity but on a scale of 15-20 entites
I hope now you are able to understand what I am trying to achieve
Hi,
You are right, updateUser validation filter the role attribute, and we cannot update the role by the patch route of users,
I resolved this by creating a new route ( PUT /users/{id}/role ):
user.route.js:
router.route('/:userId/role').put(auth('manageUsers'), validate(userValidation.changeRole), userController.changeRole);
user.validation.js:
const changeRole = {
params: Joi.object().keys({
userId: Joi.required().custom(objectId),
}),
body: Joi.object()
.keys({
role: Joi.string().required().valid('user', 'admin'),
})
.min(1),
};
user.controller.js:
const changeRole = catchAsync(async (req, res) => {
const user = await userService.updateUserById(req.params.userId, { role: req.body.role });
res.send(user);
});
but I will like to know if someone found a better way to allow only admins to update user's role by the patch route
I have done something similar. Now the authenticated user can get or update his name, email ( if newer ) for auth route though here
How will the admin update the isEmailVerified or roles fields in the user table
Can someone please suggest a approach for the same
One way is to modify the update user validation If we add roles and email verified fields to update user validation that will give access to the user itself to the email verified and roles fields which is not what is desired
Another approach is to create a separate API but that will lead to a lots of APIs if we keep on adding different roles which has different access to different fields