Admin and author can create update and remove posts and media - server

Now not only admin but author can also create/edit/delete post. To enable this in server, we have to replaceisAdmin middleware from from routes and replace with new middleware that will check if user is admin or author or both.

With this approach, we can add author features with very little code change in frontend. We just have to create few middlewares and apply them in our server routes.

Middlewares

// server/middlewares/index
export const canCreateRead = async (req, res, next) => {
  try {
    // you get req.user._id from verified jwt token
    const user = await User.findById(req.user._id);
    // console.log("isAdmin ===> ", user);
    switch (user.role) {
      case "Admin":
        next();
        break;
      case "Author":
        next();
        break;
      default:
        return res.status(400).send("Unauthorized");
    }
  } catch (err) {
    console.log(err);
  }
};

export const canUpdateDeletePost = async (req, res, next) => {
  try {
    const { postId } = req.params;
    const post = await Post.findById(postId);

    // you get req.user._id from verified jwt token
    const user = await User.findById(req.user._id);
    // console.log("isAdmin ===> ", user);
    switch (user.role) {
      case "Admin":
        next();
        break;
      case "Author":
        if (post.postedBy.toString() !== req.user._id.toString()) {
          return res.status(400).send("Unauthorized");
        } else {
          next();
        }
        break;
      default:
        return res.status(400).send("Unauthorized");
    }
  } catch (err) {
    console.log(err);
  }
};

export const canDeleteMedia = async (req, res, next) => {
  try {
    const { id } = req.params;
    const media = await Media.findById(id);

    // you get req.user._id from verified jwt token
    const user = await User.findById(req.user._id);
    // console.log("isAdmin ===> ", user);
    switch (user.role) {
      case "Admin":
        next();
        break;
      case "Author":
        if (media.postedBy.toString() !== req.user._id.toString()) {
          return res.status(400).send("Unauthorized");
        } else {
          next();
        }
        break;
      default:
        return res.status(400).send("Unauthorized");
    }
  } catch (err) {
    console.log(err);
  }
};

Routes

Now update routes middlewares

// server/routes/post
const express = require("express");
import formidable from "express-formidable";

const router = express.Router();

// controllers
const {
  uploadImage,
  uploadImageFile,
  createPost,
  posts,
  media,
  removeMedia,
  singlePost,
  removePost,
  editPost,
  postsByAuthor,
} = require("../controllers/post");

import {
  requireSignin,
  isAdmin,
  canCreateRead,
  canUpdateDeletePost,
  canDeleteMedia,
} from "../middlewares";

// APPLY canPost MIDDLEWARE (if role is admin or author)
router.post("/upload-image", requireSignin, isAdmin, uploadImage);
router.post(
  "/upload-image-file",
  formidable(),
  requireSignin,
  canCreateRead,
  uploadImageFile
);
router.post("/create-post", requireSignin, canCreateRead, createPost);
router.get("/posts", posts);
router.get("/media", requireSignin, canCreateRead, media);
router.delete("/media/:id", requireSignin, canDeleteMedia, removeMedia);
router.get("/post/:slug", singlePost);
router.put("/post/:postId", requireSignin, canUpdateDeletePost, editPost);
router.delete("/post/:postId", requireSignin, canUpdateDeletePost, removePost);
// author
router.get("/posts-by-author", requireSignin, postsByAuthor);

module.exports = router;