hagopj13 / node-express-boilerplate

A boilerplate for building production-ready RESTful APIs using Node.js, Express, and Mongoose
MIT License
6.9k stars 2.03k forks source link

How will the admin update the isEmailVerified or roles fields in the user table #210

Open alia5gar opened 2 years ago

alia5gar commented 2 years ago

How will the admin update the isEmailVerified or roles fields in the user table

Can someone please suggest a approach for the same

One way is to modify the update user validation If we add roles and email verified fields to update user validation that will give access to the user itself to the email verified and roles fields which is not what is desired

Another approach is to create a separate API but that will lead to a lots of APIs if we keep on adding different roles which has different access to different fields

jleei commented 2 years ago

Not very clear about your question, if you need to update any fields about the user, just call the updateUserById function.

alia5gar commented 2 years ago

There is already a route to update the users and the route is restricted by the permission of manageUsers and the body is validated using updateUser validation. if I want to update the email verifiedand roles fields. I will have to add those fields to updateUser validation which will give access to the users themselves to update that fields which is not what we want

I want to know how you can solve such a problem not just for one entity but on a scale of 15-20 entites

I hope now you are able to understand what I am trying to achieve

0darkace1 commented 1 year ago

Hi,

You are right, updateUser validation filter the role attribute, and we cannot update the role by the patch route of users,

I resolved this by creating a new route ( PUT /users/{id}/role ):

user.route.js:

router.route('/:userId/role').put(auth('manageUsers'), validate(userValidation.changeRole), userController.changeRole);

user.validation.js:

const changeRole = {
  params: Joi.object().keys({
    userId: Joi.required().custom(objectId),
  }),
  body: Joi.object()
    .keys({
      role: Joi.string().required().valid('user', 'admin'),
    })
    .min(1),
};

user.controller.js:

const changeRole = catchAsync(async (req, res) => {
  const user = await userService.updateUserById(req.params.userId, { role: req.body.role });

  res.send(user);
});

but I will like to know if someone found a better way to allow only admins to update user's role by the patch route

ragavendra commented 4 months ago

I have done something similar. Now the authenticated user can get or update his name, email ( if newer ) for auth route though here