'Should I validate the ownership of a doc before update or delete it?
I am doing the classic CRUD web app as a personal learning project using ExpressJS, MongoDB along Mongoose and PassportJS + connect-mongo for authentication/sessions. My question is: Is it worth to validate that the user trying to modify or delete a document is the owner of that document?
Actually I already implemented the said feature so my code checks the content of the request.session.passport and compare it against the document's author property at the start of the process but I am getting stuck for real when trying to implement tests for this feature since while testing there is no session to get the request.session.passport from.
Also, since users will not be able to do arbitrary PUT nor DELETE requests from the browser and routes will be protected for not authenticated requests in PROD env, so maybe this is a feature that is not adding any real value to my app's security and not worth the time making tests for it.
Sorry if some sentenses are not as grammatically correct, my native language is not english. Thanks for your comments.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|