Story: User Token Validation for User-Generated Items
Opened this issue · 0 comments
sjv01180 commented
As a User, I want self-token validation on the API routes, so that I have permission to POST, PUT, DELETE stuff that came from my account.
Associated Epic:
Definition of Done
- Acceptance criteria defined
- Solution tasks specified
- Feature branch created
-
Unit tests written (on API code only for now) -
Solution passes full suite of unit tests - Design documents updated if needed
- Pull request created
- Code is reviewed
- Code is merged to
develop
branch -
Tests pass on CI -
Deployed to staging environment - Acceptance criteria is met
Acceptance Criteria
- Given User Session Token on Self, when I call PUT requests to items that I own with my session token, then I receive a 200 http response code and the changes go through
- Given User Session Token on Self and Other, when I call PUT requests to items owned by Other with my session token, then **I receive a 401 http response code and the items remain unchanged **
- Given User Session Token on Self, when I call POST requests to items that I own with my session token, then I receive a 200 http response code and the changes go through
- Given User Session Token on Self and Other, when I call POST requests to items owned by Other with my session token, then **I receive a 401 http response code and the items remain unchanged **
- - [ ] Given User Session Token on Self, when I call DELETE requests to items that I own with my session token, then I receive a 200 http response code and the changes go through
- Given User Session Token on Self and Other, when I call DELETE requests to items owned by Other User with my session token, then **I receive a 401 http response code and the items remain unchanged **
Solution Tasks
- Restrict PUT, POST, DELETE calls for users route
- Restrict PUT, POST, DELETE calls for quotes route
- Restrict PUT, POST, DELETE calls for mentorSkill route
- Restrict PUT, POST, DELETE calls for schedule route
- Restrict PUT, POST, DELETE calls for courseTaken route
- Restrict PUT, POST, DELETE calls for hourblock route