What are good way to allow varied permissions of user data access?For example, let's say I'm making a fitness app that allows you to view your fitness data, to form teams, and view team members' data.Each Team has a dashboard that shows you the progress of your team members. How would you design the api so that users can only request their own data and their team members' data?Most examples I see only show you middleware that handles you accessing your own data, but I'm a little lost on effective implementations of a permission system that allows users to access the data of other users if they have permission.And to follow up, how would the routes be designed?Would you have `api/fitness?user={id}` and put middleware to check whether the user requesting this data is either the user itself or is a member of the team that the queries user is part of?Or would it be completely separated out to something like `api/team/{teamId}/members/{userId}/fitness`?I appreciate any information y'all can provide! Thanks!
Submitted August 02, 2020 at 10:04PM by Ciccio99
No comments:
Post a Comment