Able to get posts that belong to another user

Question

Able to get posts that belong to another user

josecarballosa opened this issue 4 years ago · 1 comments

given: "users": [ {"id": 1}, {"id": 2} ], "posts": [ {"id": 1, "text": "hello", "userId": 1}, {"id": 2, "text": "world", "userId": 2}] and
access token: xxx.xxx.xxx for user id:1
when: curl -H "Authorization: Bearer xxx.xxx.xxx" http://localhost:3000/600/posts
expect: only [ { "id": 1, "text": "hello", "userId": 1} ]
actual: [ { "id": 1, "text": "hello", "userId": 1}, {"id": 2, "text": "world", "userId": 2} ]

Answer 1 · 2021-08-12T04:02:41.000Z

Hi @carballosa

I am new to json-server-auth module

But I tried about "your query " and locally fixed this with the following

node_modules\json-server-auth\dist\guards.js

added the following line ( need to add userId in queryString )


if (hasRightUserId) {
    req.query.userId = req.claims.sub; /* need to add userId in queryString */
    next();
} else {
    res.status(403).jsonp('Private resource access: entity must have a reference to the owner id');
}

Please let me know if anything...