I put role checking in policy:
module.exports = function(req, res, next) {
var postId = req.param('postId');
var userId = req.session.user.id;
Post.findOne({id: postId})
.exec( function (err, post) {
if (err) { return next(err); }
if (!post) {
return res.notFound('Post not found');
}
if (post.author !== userId) {
return res.forbidden('Not the author');
}
next();
});
};
And in PostController, I need to fetch the post again
update: function (req, res) {
var postId = req.param('postId');
Post.findOne({id: postId})
.exec( function (err, post) {
// Update the post here
I would like to know if there is a decent way to fetch the post record from DB with only one time?
Aucun commentaire:
Enregistrer un commentaire