node-express-boilerplate icon indicating copy to clipboard operation
node-express-boilerplate copied to clipboard

Published 20 hours ago verified publisher icon hagopj13

An Authenticated User can update other users

Open cnuis2cool opened this issue 3 years ago • 1 comments 

router
  .route('/:userId')
   .patch(auth(), validate(userValidation.updateUser), userController.updateUser);

The above endpoint allows an authenticated user to update another user.

How can we restrict a user updating another user's data but allow updating his data?

cnuis2cool avatar Jan 29 '22 09:01 cnuis2cool

you removed the 'manageUsers'. You should have .patch(auth('manageUsers'), validate(userValidation.updateUser), userController.updateUser)

unpseudocomplique avatar Jan 31 '22 13:01 unpseudocomplique