US19 - Auth Protection

[kevinldg]

Value proposition

As a user I want to only have access to my own favorite ideas when i am authenticated In order to make sure, that only i have access to my favorite ideas

and

As a user I want to only be able to create ideas when i am authenticated so that there are no unauthenticated entries

Description

N/A

Acceptance criteria

Not authenticated: Favorites

• [x] When a user is not authenticated, the favorite page can not be accessed (redirect to landing page)
• [x] When a user is not authenticated, the favorite icon in the navigation is not shown
• [x] When a user is not authenticated, ideas can not be marked as favorite (icon not shown)

Create page

• [x] When a user is not authenticated, the create page can not be accessed (redirect to landing page)
• [x] When a user is not authenticated, the create icon in the navigation is not shown

Authenticated: Favorites

• [x] When a user is authenticated, the favorite page can be accessed
• [x] When a user is authenticated, the favorite icon in the navigation is shown
• [x] When a user is authenticated, ideas can be marked as favorite (icon shown)

Create page

• [x] When a user is authenticated, the create page can be accessed
• [x] When a user is authenticated, the create icon in the navigation is shown

Other:

• [x] The favorite page is only showing ideas, that i marked as favorite when i was authenticated

Tasks

• [x] Protect the favorite page and create page against unauthenticated users (redirect to landing page)
• [x] Protect the backend against unauthorized access (return HTTP code 403)
• [x] Make the favorite icon in the navigation only visible, when the user is authenticated
• [x] Make the create icon in the navigation only visible, when the user is authenticated
• [x] Make the favorite feature on the ideas only visible, when the user is authenticated

[Roland-Hufnagel]

Good userstory and I like the way you describe the different behaviour in the AC. But please decide to write a userstory OR a developerstory. Keep in mind: Writing a userstory that adds a value for the user means lots of money and budget for the develperteam (👍 great) because the customer wants it. Writing a good developerstory is unimportant for the customer. He won't pay money for that! That means you won't get much time or budget for that. You can add some task for protecting the backend.

[kevinldg]

Hey @Roland-Hufnagel , thx for your feedback! We've implemented the suggested changes in the user story.

[Roland-Hufnagel]

That looks good 👍

[kevinldg]

Edit: When an unauthenticated user tries to access a page he's not authorized to, a text "Access denied. You have to be logged in to view this page." will be displayed instead of getting redirected to the landing page.

When an unauthenticated user tries to access a backend route he's not authorized to, an error http code 401 will be returned instead of 403.