子实体的MEAN堆栈API安全性

Question

我目前正在使用MEAN堆栈和JWT Security开发Web应用程序。有用户，文档和Subdocs。用户拥有Docs，Docs包含Subdocs。我想提供对用户特定 Docs和Subdocs的访问权限。这是我的API草案。

import random
Score=0
def Main_Menu(Score):
    print("=============================")
    print("WELCOME TO MY QUIZ")
    print("=============================")
    while True:
        Username=input("What is your name?")
        if Username.isalpha():
            if len(Username)>11:
                print("You are only a maximum of 11 characters")
            else:
                Username=Username.title()
                break
        else:
            print("Letters only")
    while True:
        while True:
            Option=input("What do you want to do?\n1 For Quiz\n2 To Quit.")
            if Option.isdigit():
                Option=int(Option)
                break
            else:
                print("Numbers Only.")
        if Option==1:
            for x in range(10):
                Quiz(Username)
            print("You have scored",Score,"point out of 10!!\n")
        elif Option==2:
            input("Press Enter to quit the program")
            break
        else:
            print("You only have 2 options")

    Quiz(Username)
def Quiz(Username):
    Tries=3
    Number_One=random.randint (0,10)
    Number_Two=random.randint (0,10)
    Arithmetic_Operator=random.choice(["+","-","*",])
    if Arithmetic_Operator=="+":
        print(Username,"\nWhat is",Number_Two,"+",Number_One,"?")
        Answer=Number_Two+Number_One      
    elif Arithmetic_Operator=="-":
        print(Username,"\nWhat is",Number_Two,"-",Number_One,"?")
        Answer=Number_Two-Number_One
    elif Arithmetic_Operator=="*":
        print(Username,"\nWhat is",Number_Two,"*",Number_One,"?")
        Answer=Number_Two*Number_One 
    while Tries!=0:
        while True:
           Guess=input("Answer: ")
           if Guess.isdigit():
                Guess=int(Guess)    
                break
           else:

                print("Numbers Only.")
        if Guess==Answer:
            print("Well Done.You got it right.\nYou have a point")
            Score=Score+1

            break
        elif Guess!=Answer:
            Tries=Tries-1
            print("You  have",Tries,"tries left")
        if Tries==0:
            print("The answer is",Answer)

Main_Menu(Score)

通过JWT，我可以获得正在执行请求的用户的/docs /docs/{docId} /docs/{docId}/subdocs /docs/{docId}/subdocs/{subdocId} 。但是，最好的保护方法是什么，用户无法访问其他用户的对象？这是我的尝试：

方案

id

实施例

User { _id: ObjectId, name: String, password: String }
Doc { _id: ObjectId, name: String, userId: ObjectId }
Subdoc { _id: ObjectId, name: String, docId: ObjectId }

问题

当用户想要访问Subdoc时，必须有多个查询来验证执行请求的用户是否与Subdoc的（间接）所有者具有相同的GET /docs/{docId}/subdocs/{subdocId} find({ _id: subdocId }) if (docId !== subdoc.docId) -> 400 error find({ _id: subdoc.docId}) if (doc.userId !== jwtToken.userId) -> 401 error 。但查询每个父实体到用户参考听起来像是一个可能的性能问题，特别是当有子子等时，同样似乎适用于子关系，其中User对象将是最有权找到的，然后是检查子对象的id是否包含在树的每个级别的父级子集合中。是否有更好的解决方案，或者这是在非嵌入式实体中提供用户特定内容的权衡吗？