I can find tons of articles about how to build user authorization, but I still can't grasp how to restrict that a certain user can access only to it's own files? How do pros approach this access control? Is the user data within the user number's array, which can be accessed by the authenticated user with this number?
Could you maybe recommend any source, tutorial or literature for it? Maybe one in which you have to build an API for a diary or something? How do you know this process specifically?
Thanks a lot for any hint in advance.
Cheers,
GT
PS. If you don't know Node.js but PHP or else, it would be also helpful just to learn more on the theory of authorization.
答案 0 :(得分:0)
如果您尝试将用户限制为他们拥有的内容,那么一种简单的方法是在每个受保护的记录上存储用户ID /文档。在api路由/控制器中,您可以在查找调用中添加一个过滤器,以按当前用户的ID进行过滤。我没有具体说明,因为我不知道你的确切设置。
例如,日记条目路线可能类似于:
app.get('/diary-entry', function(req, res, next) {
DiaryEntry.find({ user: req.user._id }, function(err, entries) {
if(err) return next(err);
red.send(entries);
});
});