wmiys / api.alpha

Api for the the backend
0 stars 0 forks source link

Implement code to verify that the client can modify/view the request's resource #153

Closed rrickgauer closed 3 years ago

rrickgauer commented 3 years ago

Need to check that the security client_id is the owner of whatever resource they are requesting.

For instance, I can edit a product that I do not own.

If the client is requesting a resource that they do not own, return http response code 403 or Forbidden.

In the API, need to validate client access for these routes:

rrickgauer commented 3 years ago
[GET,PUT]: /products/:product_id

After loading the product data, verify the the client_id matches the product's user_id field.

https://github.com/wmiys/api.wmiys/blob/64c0ac2d1929ebd42b28bf4d2c4852970b1ec082/src/api_wmiys/routes/products.py#L65