rit-sse/WebsiteTheSSEquel

Story: User Token Validation for User-Generated Items

Opened this issue · 0 comments

sjv01180 commented

As a User, I want self-token validation on the API routes, so that I have permission to POST, PUT, DELETE stuff that came from my account.

Associated Epic:

Definition of Done

  • Acceptance criteria defined
  • Solution tasks specified
  • Feature branch created
  • Unit tests written (on API code only for now)
  • Solution passes full suite of unit tests
  • Design documents updated if needed
  • Pull request created
  • Code is reviewed
  • Code is merged to develop branch
  • Tests pass on CI
  • Deployed to staging environment
  • Acceptance criteria is met

Acceptance Criteria

  • Given User Session Token on Self, when I call PUT requests to items that I own with my session token, then I receive a 200 http response code and the changes go through
  • Given User Session Token on Self and Other, when I call PUT requests to items owned by Other with my session token, then **I receive a 401 http response code and the items remain unchanged **
  • Given User Session Token on Self, when I call POST requests to items that I own with my session token, then I receive a 200 http response code and the changes go through
  • Given User Session Token on Self and Other, when I call POST requests to items owned by Other with my session token, then **I receive a 401 http response code and the items remain unchanged **
  • - [ ] Given User Session Token on Self, when I call DELETE requests to items that I own with my session token, then I receive a 200 http response code and the changes go through
  • Given User Session Token on Self and Other, when I call DELETE requests to items owned by Other User with my session token, then **I receive a 401 http response code and the items remain unchanged **

Solution Tasks

  • Restrict PUT, POST, DELETE calls for users route
  • Restrict PUT, POST, DELETE calls for quotes route
  • Restrict PUT, POST, DELETE calls for mentorSkill route
  • Restrict PUT, POST, DELETE calls for schedule route
  • Restrict PUT, POST, DELETE calls for courseTaken route
  • Restrict PUT, POST, DELETE calls for hourblock route