native relic
I have a role hierarchy in my project (Admin > Privilaged > Standard). My goal is to prevent users of certain roles from performing actions on other users with certain roles. For example, If updating a user, nobody should be able to edit an Admin besides themselves.
My issue is finding a nice place to insert this logic. I tried a few options Ill list below but they all seem to have one core problem.
-
Route middleware that checks what the currently logged in users role is and the role of the person being updated.
Issue with this is that I would need to either make 2 finds() to get the user in the middleware, or complicate my factory function by adding a check of some sort -
Pre save query middleware on the document.
Issue with this is I no longer have access to the request object were I exract the logged in user information. Meaning I cant check the current users role anymore unless theres a way to do this I dont know. -
Add a dedicated route for admins to edit using PATCH users/id and another route for admins and another for only editing yourself.
This seems the most simple; However, on other operations like updating an Order I would need to create another route for something like editMyOrder
Im sure tier permissions are a relativly common use case so I'm wondering if anyone has an approach they recommend.
slender herald