I am implementing a simple Access Control system in Node, and I am wondering what can be the best approach for what I am doing.
I am using Node ACL and it is not clear to me how to block on a per-resource basis.
Let's take the following example: USER ->* PROJECT ->* ENTRY
. Users can have multiple projects which contains many entries. Users can be ADMIN
or USER
.
I created an endpoint /entry/{ID}
where user can access an entry detail. The endpoint is accessible to everyone, ADMIN
s can see all entries, but for User
I need to do something similar:
app.get('/entry/{id}', (req, res) => {
if (user.admin) {
// Return eveything
}
else {
if (entry.project == user.project) {
// return it
}
else {
// Unathorized
}
}
})
Is there a better approach/pattern to implement this checks on ownership on a resource?
Aucun commentaire:
Enregistrer un commentaire