#Different controller for admin and user groups?

In my nestjs application, I have two roles: admin and user. A normal user is only allowed to access, create, update, and delete the 'post' they created (post.creator = userId). Whereas the admin must be able to access and delete all posts.

Should i create two different controller group @Controller("admin/post") and @Controller("/post") for admin and normal users respectively?
eg api/admin/post route for admin and api/post route for normal user
OR,
should i use a same route for both user? and do access validation
If i do this in case of normal user when editing and deleting posts, dont i have to make one db call to check the access and then another one to update the data?
whereas if i use different route for normal user i could just db.post.delete({_id: <postId>, creator: <userId>}) (single db call)

So, let's think this through together. But, I'll ask a few questions first.

• Wouldn't you need to call up the database for access no matter what? No matter if the controllers are split or not?

• How about when you want to add a role? Maybe you want an editor role, who can edit but not delete posts? Do you want create a bunch of controllers for the editor too? Can you see how that won't scale well at all?

Thank you for your response. I am relatively new to the backend field, and i appreciate any assistance provided.

• I have access token (exp: 15 min) and refresh token (exp: 1 day) setup. I also have access token guard and role guards setup, in case a normal user want to update his post i get the user id from the decoded access token and use it to edit the post. this.postRepository.update({postId: <post id from params>, creator: <user id from access token>}). If i use same route for admin and normal user, in case of normal user, i think i need to check user access (via a validation decorator or a service method) for the post. this.postRepository.find({postId, creatorId}) and then update it this.postRepository.update.......

• Since i have role guard implemented, if any new roles are added with the privilege of delting any post, could i use the same existing admin route, that validates the role and user via the access token, but doesnt need to check whether they are the post creator.

• If your access logic is in your repository, don't you think that is a bit late in the chain of processing?

• You could use the same existing admin route. But, you could also use the same existing "normal user" post route too. No?

• Sorry i didn't get it. I created a repository layer to interact with the database, and in my video service i fetch the post from the database where post id matches with the postid from param and creator matches the user id in token.

• Got it. Yes. I can. I just thought that normal user route would be the one that updates data with the filter query postid and creatorid and updates data in a single call

• Right, so, if you determine access logic to the requested method in your service, you are ok. The service logic should first check to make sure the access is ok, then continue. In more advanced systems, you might have an authorization process (service) that does the necessary calling to match up the rules set up in advance and pass along the data acquired for further processing. This is usually using something like CASL to create ABAC authorization though and not just a simple role based logic.