I have a question about API routes and roles. Assuming a "simple" microservice architecture.So let's say there's a User role and a Admin role. Each have their own client frontend.The user can create a /POST /api/posts/create. However, the user can only have access to certain features when creating that post. Then, let's say the user wants to have access to a certain feature in /api/posts/create, BUT this is for Admin roles only. So the Admin decides to login to their own Admin account, and create the post for the User (so the admin is creating the post on the User's behalf).In a typical REST API (shown by most internet tutorials), it would be something like saying....Routes File:router.post('/api/posts/create', [isAuthenticated, isAuthorized], myController.createPost);Controller File:createPost: function (req, res) { var newPost = new Post(); newPost.title = req.body.title //etc. newPost.save(); //Saved to DB } So, because Admin has access to certain fields (or the "right" to do something extra) on the same route (again, assuming microservice), does this mean I would have to do some kind of switch statement or conditional statement within the createPost() and have somewhat of a duplicate lines of code or am I supposed to make a new function specifically just for Admin level account users to access or something else? Because if I were to code createPost with the limits of User, then if Admin access the same route, the Admin is limited by the same things as the User. However, if I coded it for Admin, then User can perform just as much creation as the Admin on the same route....
Submitted October 30, 2019 at 12:32AM by nathangonz17
No comments:
Post a Comment