Give access to a resource only if it is the user's resource

[Kyii]

first of all, i would like to thank you for tying up everything so nicely, as a noob i'm learning a lot from it.

currently i wonder how to achieve a typical requirement of every application: give access to a resource (say books) only to the currently logged in user if "it is his resource" or if he "owns" it.
if i use your restify.model or ensureUser functions (which use the passport library) i can only restrict access based on the roles (guest/user/admin).
so e.g. if i'm logged in as User A i can access the books of User B pasting the URL of the REST resource (e.g. http://localhost:3000/api/books/52a76725431fd2184800001d)

i wonder if this is something i handle with routes/passport at all? and if this question is related? #72

or

do i handle this only with the database query? something like Book.findIfOwnedByUser

maybe you could just point me in the right direction for further exploring this

thanks a lot and happy holidays

[pilwon]

Thanks for your kind words @Kyii :)
Right now there's no easy way to do what you described because what you see in the current seed is just a proof of concept that cannot handle various tasks you'd expect. However @yaru22 and I actually started some discussions on that lately so expect to see the rework soon. In the mean time if you need it right now, take some time to learn Express req/res system and Mongoose model then have a look at how User model is set up. It won't be too difficult to roll your own simple authorization system for your needs.