Where the user verification is done ?

[Zahma]

Hello,
for this controller method, I would like to know where the verification of weither the user has the right to put into an article that is not his is done ?

@ApiOperation({ summary: 'Update article' })
@ApiResponse({ status: 201, description: 'The article has been successfully updated.'})
@ApiResponse({ status: 403, description: 'Forbidden.' })
@put(':slug')
async update(@param() params, @Body('article') articleData: CreateArticleDto) {
// Todo: update slug also when title gets changed
return this.articleService.update(params.slug, articleData);
}

[lujakob]

https://github.com/lujakob/nestjs-realworld-example-app/blob/master/src/article/article.module.ts#L27
This is what you're looking for?

[Zahma]

@lujakob can you please explain to me what it does ? because, what I understood is that it checks if the user connected to that route is authenticated thats all. IT does not check if the property of that article belongs to the authenticated user.
Meaning that if another user is authenticated he can access to this route & edit the article of another User.
Correct me if I'm wrong I probably missed something.

[lujakob]

@Zahma indeed, this user check is missing. Should be something like
https://github.com/gothinkster/node-express-realworld-example-app/blob/master/routes/api/articles.js#L153-L179