I am trying to create a backend for my web app. The app should have users which should be able to create posts about different things and edit them if needed, and also admins which can edit or even delete posts of different users if they deem them bad. I am having trouble managing user permissions and authorizations, especially regarding which resource a user is allowed to access but I have come to two possible solutions and I am not sure which one is the best.
- Use a specific route (such as /users/me) that allows one to modify his own data and leave the /users/{id} resource only for usage by admins.
- Handle the authorization based on weather the given id matches the user in the authentication (/users/{id} only allows you to DELETE or PUT if you are the same user as the one in the URI based on auth token).
I want to abstract the authentication and authorization layer from the database interaction layer, but I am finding it pretty hard to do using the second method because checking if a user "owns" a resource before he accesses it requires you to retrieve that resource, but I also think there are some merits to the second method aswell.
Which one would be the best architectural choice regarding code scaling and quality, and which one would you choose for a project (maybe even a mixture of the two)?
I mention that my backend uses node.js and express which interact with a MongoDB database through Mongoose.
Aucun commentaire:
Enregistrer un commentaire