Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add server side authorization to all existing API routes #53

Open
aidansunbury opened this issue Nov 12, 2023 · 0 comments
Open

Add server side authorization to all existing API routes #53

aidansunbury opened this issue Nov 12, 2023 · 0 comments
Labels
backend not urgent

Comments

@aidansunbury
Copy link
Contributor

While the client will only display an option to perform certain actions if a user is authorized to do so, for security purposes, it is still vital to ensure that a use is authorized to mutate any data.

Our middleware will ensure that the api is only callable by signed in users, and there is almost no information that a user should be prevented from viewing. Therefore, we mostly need to protect POST, PATCH, and DELETE routes.

From a high level,

  1. admins should be able to do anything
  2. project members and leads should be able to edit information about the projects they are added to
  3. all users should be able to edit their own personal information, except for modifying their roles

It may be useful to make some helper functions to accomplish all of this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend not urgent
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aidansunbury