Authorizing Users With JWT - an unnecessary logic for postUpdate and postDelete
Closed this issue · 0 comments
hazartilirot commented
Actually, I can't figure out as to why the author creates a new file canUserMutatePost.ts.
All we need to know is
- postId which is already implemented in postResolvers.ts
- authorId who created the post the value of which we take from his JWT Token.
The rest Prisma (or a postgres to be exact ) will do for us. There can't be a post with an authorId who didn't create the post.
Therefore we change
await prisma.post.findUnique({ where: {id: +postId} })
to
await prisma.post.findFirst({ where: { AND: [{id: +postId }, {authorId: userId}] } })
If a user with a different token tries to delete a post which doesn't belong to his userId - it will return a userErrors.
There is only one reason to create a separate logic is that you want to reveal a user the actual error. To my mind it's unnecessary.
Respect conciseness! 💪