Entity.Update how to do permission checks
aroraenterprise opened this issue · comments
Hey I would like to know your thoughts on this. When I go to update an entity, I usually want to retrieve the entity, check if creatorId matches the userId and then save entity with updated data. I am just curious to know how you would do this check with Entity.Update. I am using a dataloader and I worry about cached data and how merging will affect the entity data.
Hello,
I think, for permission check, it is better to do it on a different layer than when updating the entity. For example at the HTTP route level (an Express middleware for example) where you would check if the userId in the Auth header is the same as the creatorId
of the entity. If it is not, throw an 401 Unauthorized
error.
You might want to check a package like node_acl
(See this post: http://handyjs.org/article/the-kick-ass-guide-to-developing-access-control-systems-for-nodejs-webapps) for better user access to your entities.
Thank you