Closed rrickgauer closed 3 years ago
Need to check that the security client_id is the owner of whatever resource they are requesting.
For instance, I can edit a product that I do not own.
If the client is requesting a resource that they do not own, return http response code 403 or Forbidden.
403
Forbidden
In the API, need to validate client access for these routes:
[GET,PUT]: /products/:product_id
After loading the product data, verify the the client_id matches the product's user_id field.
client_id
user_id
https://github.com/wmiys/api.wmiys/blob/64c0ac2d1929ebd42b28bf4d2c4852970b1ec082/src/api_wmiys/routes/products.py#L65
Need to check that the security client_id is the owner of whatever resource they are requesting.
For instance, I can edit a product that I do not own.
If the client is requesting a resource that they do not own, return http response code
403
orForbidden
.In the API, need to validate client access for these routes: