auth middleware usage

[am2222]

Hello,
I checked this middleware and it seems straightfoward. However I wanted to see how we can achieve the following authentication structure:
lets say we have this route:
router.patch('/users', auth('manageUsers'), userController.updateUser);
How we can only make a user use it if they are only updating their own profile? If we set this rule clearly users who have access to manageUsers can update eachother's profiles. But we want a user only be able to update their own profile. Maybe we should use validations?

[bryan-gc]

I didn't use the whole template, but the jwt should be in the request object. So you should be able to extract the id from that jwt and then check if the user that is updating is the same user that he has in his jwt.

[hagopj13]

@am2222 this feature is already supported if the user is trying to fetch/update/delete its own profile. Check here:

node-express-boilerplate/src/middlewares/auth.js

Line 15 in 1610883

if (!hasRequiredRights && req.params.userId !== user.id) {

[yasamnoya]

Hi, @hagopj13

I'm just wondering what you would recommend if I want users can only modify/delete its own posts, where posts are objects stored in another document and has a property called userId, which represent the owners of the posts.
The laziest solution is to check if userId and req.user._id are matched in posts.services.js. But I believe there is a better solution.

Thanks.