Routes with permissions


#1

Hey, I’m looking for opnions on which is the best approach for this.

I have RESTful API and the application has users and admins.

For example, there’s a resource controller called users with a PUT/PATCH method, if the user is an admin, he can update any user, if he is an user he can only update himself.

Should i make a different controller for admin operations (have many duplicated controllers) and protect it with a middleware or add a condition ( if (auth.user.id !== Number(params.id) && auth.user.role !== 'admin') ) in every method that has this behaviour

What are your preferences when it comes to this?


#2

Hey @Wuzi! :wave:

I have built a package to help managing permissions in Adonis.


#3

Thanks, this is perfect!