authorization | NestJS | Page 1

This really boils down to authentication (know who the user is) vs authorization (knowing what the user can do).
You can authenticate the user by logging in and setting up the session and storing the user's role in it. Or by encoding it in a JWT if that's your authentication method of choice.

Then, using an auth guard, you can grant or prevent access of the user based on their role (in the session or a jwt, or straight up read from the DB every time) and the endpoint they are trying to access.

But to implement busineess logic rules, that is, for example, an user can only delete their own posts, then you can't really know this only based on the route and the role - that check needs to be performed by the service by providing the post id and the user id to it.

#authorization