I'm developing an application in Sails.js, where I have two kinds of users; ordinary users (who should be able to view their own profile), and administrators (who should be able to view/edit/delete every users' profile). For authentication, I've followed this example.
Currently, I'm using the blueprints to directly access this information via a view /views/user/show/userID, e.g. /views/user/show/ + user.id, where the view displays information based on the userID provided (e.g. <%= user.name %>. Currently, anyone can access any profile due to this.
I need to limit access so that a "regular" user only has access to his/her own profile, as well as not be able to edit/delete other users.
I'm not sure how exactly to do this, and I've tried using custom routes, without success.
Any suggestion/answer will be greatly appreciated.
You can use a policy (i.e. isAdmin.js) where you check if the user has an "administrator" user role and if not you can return a "forbidden" error code.
Then in your config/policies.js you can associate the specific policy isAdmin.js to your api method.
Another valid approach could be defining a isProfileOwner.js policy where you check if the user that submitted the request is the owner of the profile on which he wants to operate
Hope this could help you